summaryrefslogtreecommitdiff
path: root/doc/standardisation/rfc5587.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/standardisation/rfc5587.txt')
-rw-r--r--doc/standardisation/rfc5587.txt899
1 files changed, 0 insertions, 899 deletions
diff --git a/doc/standardisation/rfc5587.txt b/doc/standardisation/rfc5587.txt
deleted file mode 100644
index 1670bc58f..000000000
--- a/doc/standardisation/rfc5587.txt
+++ /dev/null
@@ -1,899 +0,0 @@
-
-
-
-
-
-
-Network Working Group N. Williams
-Request for Comments: 5587 Sun
-Category: Standards Track July 2009
-
-
- Extended Generic Security Service Mechanism Inquiry APIs
-
-Abstract
-
- This document introduces new application programming interfaces
- (APIs) to the Generic Security Services API (GSS-API) for extended
- mechanism attribute inquiry. These interfaces are primarily intended
- to reduce instances of hardcoding of mechanism identifiers in GSS
- applications.
-
- These interfaces include mechanism attributes and attribute sets, a
- function for inquiring the attributes of a mechanism, a function for
- indicating mechanisms that possess given attributes, and a function
- for displaying mechanism attributes.
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (c) 2009 IETF Trust and the persons identified as the
- document authors. All rights reserved.
-
- This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents in effect on the date of
- publication of this document (http://trustee.ietf.org/license-info).
- Please review these documents carefully, as they describe your rights
- and restrictions with respect to this document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Williams Standards Track [Page 1]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
-Table of Contents
-
- 1. Introduction ....................................................2
- 2. Conventions Used in This Document ...............................2
- 3. New GSS-API Interfaces ..........................................3
- 3.1. Mechanism Attributes and Attribute Sets ....................3
- 3.2. List of Known Mechanism Attributes .........................4
- 3.3. Mechanism Attribute Sets of Existing Mechs .................6
- 3.4. New GSS-API Function Interfaces ............................8
- 3.4.1. Mechanism Attribute Criticality .....................8
- 3.4.2. GSS_Indicate_mechs_by_attrs() .......................9
- 3.4.3. GSS_Inquire_attrs_for_mech() .......................10
- 3.4.4. GSS_Display_mech_attr() ............................10
- 3.4.5. New Major Status Values ............................11
- 3.4.6. C-Bindings .........................................11
- 4. Requirements for Mechanism Designers ...........................13
- 5. IANA Considerations ............................................13
- 6. Security Considerations ........................................13
- 7. References .....................................................13
- 7.1. Normative References ......................................13
- 7.2. Informative References ....................................14
-Appendix A. Typedefs and C Bindings ..................................15
-
-1. Introduction
-
- GSS-API [RFC2743] mechanisms have a number of properties that may be
- of interest to applications. The lack of APIs for inquiring about
- available mechanisms' properties has meant that many GSS-API
- applications must hardcode mechanism Object Identifiers (OIDs).
- Ongoing work may result in a variety of new GSS-API mechanisms.
- Applications should not have to hardcode their OIDs.
-
- For example, the Secure Shell version 2 (SSHv2) protocol [RFC4251]
- supports the use of GSS-API mechanisms for authentication [RFC4462]
- but explicitly prohibits the use of Simple and Protected GSS-API
- Negotiation (SPNEGO) [RFC4178]. Future mechanisms that negotiate
- mechanisms would have to be forbidden as well, but there is no way to
- implement applications that inquire what mechanisms are available and
- then programmatically exclude mechanisms "like SPNEGO".
-
-2. Conventions Used in This Document
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [RFC2119].
-
-
-
-
-
-
-Williams Standards Track [Page 2]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
-3. New GSS-API Interfaces
-
- We introduce a new concept -- that of mechanism attributes. By
- allowing applications to query the set of attributes associated with
- individual mechanisms and to find out which mechanisms support a
- given set of attributes, we allow applications to select mechanisms
- based on their attributes without having to hardcode mechanism OIDs.
-
- Section 3.1 describes the mechanism attributes concept. Sections
- 3.4.2, 3.4.3, and 3.4.4 describe three new interfaces that deal in
- mechanisms and attribute sets:
-
- o GSS_Indicate_mechs_by_attrs()
-
- o GSS_Inquire_attrs_for_mech()
-
- o GSS_Display_mech_attr()
-
-3.1. Mechanism Attributes and Attribute Sets
-
- An abstraction for the features provided by mechanisms and pseudo-
- mechanisms is needed in order to facilitate the programmatic
- selection of mechanisms. Pseudo-mechanisms are mechanisms that make
- reference to other mechanisms in order to provide their services.
- For example, SPNEGO is a pseudo-mechanism, for without other
- mechanisms SPNEGO is useless.
-
- Two data types are needed: one for individual mechanism attributes
- and one for mechanism attribute sets. To simplify the mechanism
- attribute interfaces, we reuse the 'OID' and 'OID set' data types and
- model individual mechanism attribute types as OIDs.
-
- To this end, we define an open namespace of mechanism attributes and
- assign them arcs off of this OID:
-
- <1.3.6.1.5.5.13>
-
- Each mechanism has a set of mechanism attributes that it supports as
- described in its specification.
-
-
-
-
-
-
-
-
-
-
-
-
-Williams Standards Track [Page 3]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
-3.2. List of Known Mechanism Attributes
-
- +-------------------------+---------+-------------------------+
- | Mech Attr Name | OID Arc | Arc Name |
- +-------------------------+---------+-------------------------+
- | GSS_C_MA_MECH_CONCRETE | (1) | concrete-mech |
- | GSS_C_MA_MECH_PSEUDO | (2) | pseudo-mech |
- | GSS_C_MA_MECH_COMPOSITE | (3) | composite-mech |
- | GSS_C_MA_MECH_NEGO | (4) | mech-negotiation-mech |
- | GSS_C_MA_MECH_GLUE | (5) | mech-glue |
- | GSS_C_MA_NOT_MECH | (6) | not-mech |
- | GSS_C_MA_DEPRECATED | (7) | mech-deprecated |
- | GSS_C_MA_NOT_DFLT_MECH | (8) | mech-not-default |
- | GSS_C_MA_ITOK_FRAMED | (9) | initial-is-framed |
- | GSS_C_MA_AUTH_INIT | (10) | auth-init-princ |
- | GSS_C_MA_AUTH_TARG | (11) | auth-targ-princ |
- | GSS_C_MA_AUTH_INIT_INIT | (12) | auth-init-princ-initial |
- | GSS_C_MA_AUTH_TARG_INIT | (13) | auth-targ-princ-initial |
- | GSS_C_MA_AUTH_INIT_ANON | (14) | auth-init-princ-anon |
- | GSS_C_MA_AUTH_TARG_ANON | (15) | auth-targ-princ-anon |
- | GSS_C_MA_DELEG_CRED | (16) | deleg-cred |
- | GSS_C_MA_INTEG_PROT | (17) | integ-prot |
- | GSS_C_MA_CONF_PROT | (18) | conf-prot |
- | GSS_C_MA_MIC | (19) | mic |
- | GSS_C_MA_WRAP | (20) | wrap |
- | GSS_C_MA_PROT_READY | (21) | prot-ready |
- | GSS_C_MA_REPLAY_DET | (22) | replay-detection |
- | GSS_C_MA_OOS_DET | (23) | oos-detection |
- | GSS_C_MA_CBINDINGS | (24) | channel-bindings |
- | GSS_C_MA_PFS | (25) | pfs |
- | GSS_C_MA_COMPRESS | (26) | compress |
- | GSS_C_MA_CTX_TRANS | (27) | context-transfer |
- | <reserved> | (28...) | |
- +-------------------------+---------+-------------------------+
-
- Table 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Williams Standards Track [Page 4]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- +-------------------------+-----------------------------------------+
- | Mech Attr Name | Purpose |
- +-------------------------+-----------------------------------------+
- | GSS_C_MA_MECH_CONCRETE | Indicates that a mech is neither a |
- | | pseudo-mechanism nor a composite |
- | | mechanism. |
- | GSS_C_MA_MECH_PSEUDO | Indicates that a mech is a |
- | | pseudo-mechanism. |
- | GSS_C_MA_MECH_COMPOSITE | Indicates that a mech is a composite of |
- | | other mechanisms. This is reserved for |
- | | a specification of "stackable" |
- | | pseudo-mechanisms. |
- | GSS_C_MA_MECH_NEGO | Indicates that a mech negotiates other |
- | | mechs (e.g., SPNEGO has this |
- | | attribute). |
- | GSS_C_MA_MECH_GLUE | Indicates that the OID is not for a |
- | | mechanism but for the GSS-API itself. |
- | GSS_C_MA_NOT_MECH | Indicates that the OID is known, yet it |
- | | is also known not to be the OID of any |
- | | GSS-API mechanism (or of the GSS-API |
- | | itself). |
- | GSS_C_MA_DEPRECATED | Indicates that a mech (or its OID) is |
- | | deprecated and MUST NOT be used as a |
- | | default mechanism. |
- | GSS_C_MA_NOT_DFLT_MECH | Indicates that a mech (or its OID) MUST |
- | | NOT be used as a default mechanism. |
- | GSS_C_MA_ITOK_FRAMED | Indicates that the given mechanism's |
- | | initial context tokens are properly |
- | | framed as per Section 3.1 of [RFC2743]. |
- | GSS_C_MA_AUTH_INIT | Indicates support for authentication of |
- | | initiator to acceptor. |
- | GSS_C_MA_AUTH_TARG | Indicates support for authentication of |
- | | acceptor to initiator. |
- | GSS_C_MA_AUTH_INIT_INIT | Indicates support for "initial" |
- | | authentication of initiator to |
- | | acceptor. "Initial authentication" |
- | | refers to the use of passwords, or keys |
- | | stored on tokens, for authentication. |
- | | Whether a mechanism supports initial |
- | | authentication may depend on IETF |
- | | consensus (see Security |
- | | Considerations). |
- | GSS_C_MA_AUTH_TARG_INIT | Indicates support for initial |
- | | authentication of acceptor to |
- | | initiator. |
- | GSS_C_MA_AUTH_INIT_ANON | Indicates support for |
- | | GSS_C_NT_ANONYMOUS as an initiator |
- | | principal name. |
-
-
-
-Williams Standards Track [Page 5]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- | GSS_C_MA_AUTH_TARG_ANON | Indicates support for |
- | | GSS_C_NT_ANONYMOUS as a target |
- | | principal name. |
- | GSS_C_MA_DELEG_CRED | Indicates support for credential |
- | | delegation. |
- | GSS_C_MA_INTEG_PROT | Indicates support for per-message |
- | | integrity protection. |
- | GSS_C_MA_CONF_PROT | Indicates support for per-message |
- | | confidentiality protection. |
- | GSS_C_MA_MIC | Indicates support for Message Integrity |
- | | Code (MIC) tokens. |
- | GSS_C_MA_WRAP | Indicates support for WRAP tokens. |
- | GSS_C_MA_PROT_READY | Indicates support for per-message |
- | | protection prior to full context |
- | | establishment. |
- | GSS_C_MA_REPLAY_DET | Indicates support for replay detection. |
- | GSS_C_MA_OOS_DET | Indicates support for out-of-sequence |
- | | detection. |
- | GSS_C_MA_CBINDINGS | Indicates support for channel bindings. |
- | GSS_C_MA_PFS | Indicates support for Perfect Forward |
- | | Security. |
- | GSS_C_MA_COMPRESS | Indicates support for compression of |
- | | data inputs to GSS_Wrap(). |
- | GSS_C_MA_CTX_TRANS | Indicates support for security context |
- | | export/import. |
- +-------------------------+-----------------------------------------+
-
- Table 2
-
-3.3. Mechanism Attribute Sets of Existing Mechs
-
- The Kerberos V mechanism [RFC1964] provides the following mechanism
- attributes:
-
- o GSS_C_MA_MECH_CONCRETE
-
- o GSS_C_MA_ITOK_FRAMED
-
- o GSS_C_MA_AUTH_INIT
-
- o GSS_C_MA_AUTH_TARG
-
- o GSS_C_MA_DELEG_CRED
-
- o GSS_C_MA_INTEG_PROT
-
- o GSS_C_MA_CONF_PROT
-
-
-
-
-Williams Standards Track [Page 6]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- o GSS_C_MA_MIC
-
- o GSS_C_MA_WRAP
-
- o GSS_C_MA_PROT_READY
-
- o GSS_C_MA_REPLAY_DET
-
- o GSS_C_MA_OOS_DET
-
- o GSS_C_MA_CBINDINGS
-
- o GSS_C_MA_CTX_TRANS (some implementations, using implementation-
- specific exported context token formats)
-
- The Kerberos V mechanism also has a deprecated OID that has the same
- mechanism attributes as above as well as GSS_C_MA_DEPRECATED.
-
- The mechanism attributes of the Simple Public-Key GSS-API Mechanism
- (SPKM) [RFC2025] family of mechanisms will be provided in a separate
- document, as SPKM is currently being reviewed for possibly
- significant changes due to problems in its specifications.
-
- The Low Infrastructure Public Key (LIPKEY) mechanism [RFC2847] offers
- the following attributes:
-
- o GSS_C_MA_MECH_CONCRETE
-
- o GSS_C_MA_ITOK_FRAMED
-
- o GSS_C_MA_AUTH_INIT_INIT
-
- o GSS_C_MA_AUTH_TARG (from SPKM-3)
-
- o GSS_C_MA_AUTH_TARG_ANON (from SPKM-3)
-
- o GSS_C_MA_INTEG_PROT
-
- o GSS_C_MA_CONF_PROT
-
- o GSS_C_MA_REPLAY_DET
-
- o GSS_C_MA_OOS_DET
-
- o GSS_C_MA_CTX_TRANS (some implementations, using implementation-
- specific exported context token formats)
-
-
-
-
-
-Williams Standards Track [Page 7]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- (LIPKEY should also provide GSS_C_MA_CBINDINGS, but SPKM-3
- requires clarifications on this point.)
-
- The SPNEGO mechanism [RFC4178] provides the following attributes:
-
- o GSS_C_MA_MECH_NEGO
-
- o GSS_C_MA_ITOK_FRAMED
-
- All other mechanisms' attributes will be described elsewhere.
-
-3.4. New GSS-API Function Interfaces
-
- Several new interfaces are given by which, for example, GSS-API
- applications may determine what features are provided by a given
- mechanism and what mechanisms provide what features.
-
- These new interfaces are all OPTIONAL.
-
- Applications should use GSS_Indicate_mechs_by_attrs() instead of
- GSS_Indicate_mechs() wherever possible.
-
- Applications can use GSS_Indicate_mechs_by_attrs() to determine what,
- if any, mechanisms provide a given set of features.
-
- GSS_Indicate_mechs_by_attrs() can also be used to indicate (as in
- GSS_Indicate_mechs()) the set of available mechanisms of each type
- (concrete, mechanism negotiation pseudo-mechanism, etc.).
-
-3.4.1. Mechanism Attribute Criticality
-
- Mechanism attributes may be added at any time. Not only may
- attributes be added to the list of known mechanism attributes at any
- time, but the set of mechanism attributes supported by a mechanism
- can be changed at any time.
-
- For example, new attributes might be added to reflect whether a
- mechanism's initiator must contact an online infrastructure and/or
- whether the acceptor must do so. In this example, the Kerberos V
- mechanism would gain a new attribute even though the mechanism itself
- is not modified.
-
- Applications making use of attributes not defined herein would then
- have no way of knowing whether a GSS-API implementation and its
- mechanisms know about new mechanism attributes. To address this
- problem, GSS_Indicate_mechs_by_attrs() and
- GSS_Inquire_attrs_for_mech() support a notion of critical mechanism
- attributes. Applications can search for mechanisms that understand
-
-
-
-Williams Standards Track [Page 8]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- mechanism attributes that are critical to the application, and the
- application may ask what mechanism attributes are understood by a
- given mechanism.
-
-3.4.2. GSS_Indicate_mechs_by_attrs()
-
- Inputs:
-
- o desired_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_*
- OIDs that the mechanisms indicated in the mechs output parameter
- MUST offer.
-
- o except_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_*
- OIDs that the mechanisms indicated in the mechs output parameter
- MUST NOT offer.
-
- o critical_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_*
- OIDs that the mechanisms indicated in the mechs output parameter
- MUST understand (i.e., mechs must know whether critical attributes
- are or are not supported).
-
- Outputs:
-
- o major_status INTEGER
-
- o minor_status INTEGER
-
- o mechs SET OF OBJECT IDENTIFIER -- set of mechanisms that support
- the given desired_mech_attrs but not the except_mech_attrs, and
- all of which understand the given critical_mech_attrs (the caller
- must release this output with GSS_Release_oid_set()).
-
- Return major_status codes:
-
- o GSS_S_COMPLETE indicates success; the output mechs parameter MAY
- be the empty set (GSS_C_NO_OID_SET).
-
- o GSS_S_FAILURE indicates that the request failed for some other
- reason.
-
- GSS_Indicate_mechs_by_attrs() returns the set of OIDs corresponding
- to mechanisms that offer at least the desired_mech_attrs but none of
- the except_mech_attrs, and that understand all of the attributes
- listed in critical_mech_attrs.
-
- When all three sets of OID input parameters are the empty set, this
- function acts as a version of GSS_indicate_mechs() that outputs the
- set of all supported mechanisms.
-
-
-
-Williams Standards Track [Page 9]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
-3.4.3. GSS_Inquire_attrs_for_mech()
-
- Inputs:
-
- o mech OBJECT IDENTIFIER -- mechanism OID
-
- Outputs:
-
- o major_status INTEGER
-
- o minor_status INTEGER
-
- o mech_attrs SET OF OBJECT IDENTIFIER -- set of mech_attrs OIDs
- (GSS_C_MA_*) supported by the mechanism (the caller must release
- this output with GSS_Release_oid_set()).
-
- o known_mech_attrs SET OF OBJECT IDENTIFIER -- set of mech_attrs
- OIDs known to the mechanism implementation (the caller must
- release this output with GSS_Release_oid_set()).
-
- Return major_status codes:
-
- o GSS_S_COMPLETE indicates success; the output mech_attrs parameter
- MAY be the empty set (GSS_C_NO_OID_SET).
-
- o GSS_S_BAD_MECH indicates that the mechanism named by the mech
- parameter does not exist or that the mech is GSS_C_NO_OID and no
- default mechanism could be determined.
-
- o GSS_S_FAILURE indicates that the request failed for some other
- reason.
-
- GSS_Inquire_attrs_for_mech() indicates the set of mechanism
- attributes supported by a given mechanism.
-
-3.4.4. GSS_Display_mech_attr()
-
- Inputs:
-
- o mech_attr OBJECT IDENTIFIER -- mechanism attribute OID
-
- Outputs:
-
- o major_status INTEGER
-
- o minor_status INTEGER
-
-
-
-
-
-Williams Standards Track [Page 10]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- o name OCTET STRING, -- name of mechanism attribute (e.g.,
- GSS_C_MA_*).
-
- o short_desc OCTET STRING, -- a short description of the mechanism
- attribute (the caller must release this output with
- GSS_Release_buffer()).
-
- o long_desc OCTET STRING -- a longer description of the mechanism
- attribute (the caller must release this output with
- GSS_Release_buffer()).
-
- Return major_status codes:
-
- o GSS_S_COMPLETE indicates success.
-
- o GSS_S_BAD_MECH_ATTR indicates that the mechanism attribute
- referenced by the mech_attr parameter is unknown to the
- implementation.
-
- o GSS_S_FAILURE indicates that the request failed for some other
- reason.
-
- This function can be used to obtain human-readable descriptions of
- GSS-API mechanism attributes.
-
-3.4.5. New Major Status Values
-
- A single, new, major status code is added for
- GSS_Display_mech_attr():
-
- o GSS_S_BAD_MECH_ATTR,
-
- roughly corresponding to GSS_S_BAD_MECH but applicable to mechanism
- attribute OIDs rather than to mechanism OIDs.
-
- For the C-bindings of the GSS-API [RFC2744], GSS_S_BAD_MECH_ATTR
- shall have a routine error number of 19 (this is shifted to the left
- by GSS_C_ROUTINE_ERROR_OFFSET).
-
-3.4.6. C-Bindings
-
- Note that there is a bug in the C bindings of the GSS-APIv2u1
- [RFC2744] in that the C 'const' attribute is applied to types that
- are pointer typedefs. This is a bug because it declares that the
- pointer argument is 'const' rather than that the object pointed by it
- is const. To avoid this error, we hereby define new typedefs, which
- include const properly:
-
-
-
-
-Williams Standards Track [Page 11]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- typedef const gss_buffer_desc * gss_const_buffer_t;
- typedef const struct gss_channel_bindings_struct *
- gss_const_channel_bindings_t;
- typedef const <platform-specific> gss_const_ctx_id_t;
- typedef const <platform-specific> gss_const_cred_id_t;
- typedef const <platform-specific> gss_const_name_t;
- typedef const gss_OID_desc * gss_const_OID;
- typedef const gss_OID_set_desc * gss_const_OID_set;
-
- Figure 1: const typedefs
-
- Note that only gss_const_OID and gss_const_OID_set are used below.
- We include the other const typedefs for convenience since the C
- bindings of the GSS-API do use const with pointer typedefs when it
- should often instead use the above typedefs instead.
-
- #define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
-
- OM_uint32 gss_indicate_mechs_by_attrs(
- OM_uint32 *minor_status,
- gss_const_OID_set desired_mech_attrs,
- gss_const_OID_set except_mech_attrs,
- gss_const_OID_set critical_mech_attrs,
- gss_OID_set *mechs);
-
- OM_uint32 gss_inquire_attrs_for_mech(
- OM_uint32 *minor_status,
- gss_const_OID mech,
- gss_OID_set *mech_attrs,
- gss_OID_set *known_mech_attrs);
-
- OM_uint32 gss_display_mech_attr(
- OM_uint32 *minor_status,
- gss_const_OID mech_attr,
- gss_buffer_t name,
- gss_buffer_t short_desc,
- gss_buffer_t long_desc);
-
- Figure 2: C bindings
-
- Note that output buffers must be released via gss_release_buffer().
- Output OID sets must be released via gss_release_oid_set().
-
- Please see Appendix A for a full set of typedef fragments defined in
- this document and the necessary code license.
-
-
-
-
-
-
-Williams Standards Track [Page 12]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
-4. Requirements for Mechanism Designers
-
- All future GSS-API mechanism specifications MUST:
-
- o list the set of GSS-API mechanism attributes associated with them.
-
-5. IANA Considerations
-
- The namespace of programming-language symbols with names beginning
- with GSS_C_MA_* is reserved for allocation by IETF Consensus. IANA
- allocated a base OID, as an arc of 1.3.6.1.5.5, for the set of
- GSS_C_MA_* described herein, and registered all of the GSS_C_MA_*
- values described in Section 3.2.
-
-6. Security Considerations
-
- This document specifies extensions to a security-related API. It
- imposes new requirements on future GSS-API mechanisms, and the
- specifications of future protocols that use the GSS-API should make
- reference to this document where applicable. The ability to inquire
- about specific properties of mechanisms should improve security.
-
- The semantics of each mechanism attribute may include a security
- component.
-
- Application developers must understand that mechanism attributes may
- be added at any time -- both to the set of known mechanism attributes
- as well as to existing mechanisms' sets of supported mechanism
- attributes. Therefore, application developers using the APIs
- described herein must understand what mechanism attributes their
- applications depend critically on, and must use the mechanism
- attribute criticality features of these APIs.
-
-7. References
-
-7.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2743] Linn, J., "Generic Security Service Application Program
- Interface Version 2, Update 1", RFC 2743, January 2000.
-
- [RFC2744] Wray, J., "Generic Security Service API Version 2 :
- C-bindings", RFC 2744, January 2000.
-
-
-
-
-
-
-Williams Standards Track [Page 13]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
-7.2. Informative References
-
- [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
- RFC 1964, June 1996.
-
- [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
- (SPKM)", RFC 2025, October 1996.
-
- [RFC2847] Eisler, M., "LIPKEY - A Low Infrastructure Public Key
- Mechanism Using SPKM", RFC 2847, June 2000.
-
- [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
- Simple and Protected Generic Security Service Application
- Program Interface (GSS-API) Negotiation Mechanism",
- RFC 4178, October 2005.
-
- [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
- Protocol Architecture", RFC 4251, January 2006.
-
- [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch,
- "Generic Security Service Application Program Interface
- (GSS-API) Authentication and Key Exchange for the Secure
- Shell (SSH) Protocol", RFC 4462, May 2006.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Williams Standards Track [Page 14]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
-Appendix A. Typedefs and C Bindings
-
- This appendix contains the full set of code fragments defined in this
- document.
-
- Copyright (c) 2009 IETF Trust and the persons identified as authors
- of the code. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- - Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- - Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the
- distribution.
-
- - Neither the name of Internet Society, IETF or IETF Trust, nor the
- names of specific contributors, may be used to endorse or promote
- products derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- typedef const gss_buffer_desc * gss_const_buffer_t;
- typedef const struct gss_channel_bindings_struct *
- gss_const_channel_bindings_t;
- typedef const <platform-specific> gss_const_ctx_id_t;
- typedef const <platform-specific> gss_const_cred_id_t;
- typedef const <platform-specific> gss_const_name_t;
- typedef const gss_OID_desc * gss_const_OID;
- typedef const gss_OID_set_desc * gss_const_OID_set;
-
-
-
-
-
-
-
-Williams Standards Track [Page 15]
-
-RFC 5587 Extended GSS Mech Inquiry July 2009
-
-
- #define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
-
- OM_uint32 gss_indicate_mechs_by_attrs(
- OM_uint32 *minor_status,
- gss_const_OID_set desired_mech_attrs,
- gss_const_OID_set except_mech_attrs,
- gss_const_OID_set critical_mech_attrs,
- gss_OID_set *mechs);
-
- OM_uint32 gss_inquire_attrs_for_mech(
- OM_uint32 *minor_status,
- gss_const_OID mech,
- gss_OID_set *mech_attrs,
- gss_OID_set *known_mech_attrs);
-
- OM_uint32 gss_display_mech_attr(
- OM_uint32 *minor_status,
- gss_const_OID mech_attr,
- gss_buffer_t name,
- gss_buffer_t short_desc,
- gss_buffer_t long_desc);
-
-Author's Address
-
- Nicolas Williams
- Sun Microsystems
- 5300 Riata Trace Ct
- Austin, TX 78727
- US
-
- EMail: Nicolas.Williams@sun.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Williams Standards Track [Page 16]
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 18:13:12 +0000