RFC 2744 (rfc2744) - Page 2 of 101

Generic Security Service API Version 2 : C-bindings

Alternative Format: Original Text Document
< Previous
Next >
RFC 2744                 GSS-API V2: C-bindings             January 2000


1.   Introduction

   The Generic Security Service Application Programming Interface
   [GSSAPI] provides security services to calling applications.  It
   allows a communicating application to authenticate the user
   associated with another application, to delegate rights to another
   application, and to apply security services such as confidentiality
   and integrity on a per-message basis.

   There are four stages to using the GSS-API:

   a) The application acquires a set of credentials with which it may
      prove its identity to other processes. The application's
      credentials vouch for its global identity, which may or may not be
      related to any local username under which it may be running.

   b) A pair of communicating applications establish a joint security
      context using their credentials.  The security context is a pair
      of GSS-API data structures that contain shared state information,
      which is required in order that per-message security services may
      be provided.  Examples of state that might be shared between
      applications as part of a security context are cryptographic keys,
      and message sequence numbers.  As part of the establishment of a
      security context, the context initiator is authenticated to the
      responder, and may require that the responder is authenticated in
      turn.  The initiator may optionally give the responder the right
      to initiate further security contexts, acting as an agent or
      delegate of the initiator.  This transfer of rights is termed
      delegation, and is achieved by creating a set of credentials,
      similar to those used by the initiating application, but which may
      be used by the responder.

      To establish and maintain the shared information that makes up the
      security context, certain GSS-API calls will return a token data
      structure, which is an opaque data type that may contain
      cryptographically protected data.  The caller of such a GSS-API
      routine is responsible for transferring the token to the peer
      application, encapsulated if necessary in an application-
      application protocol.  On receipt of such a token, the peer
      application should pass it to a corresponding GSS-API routine
      which will decode the token and extract the information, updating
      the security context state information accordingly.









Wray                        Standards Track
< Previous
Next >