RFC 3163 (rfc3163) - Page 2 of 17
ISO/IEC 9798-3 Authentication SASL Mechanism
Alternative Format: Original Text Document
RFC 3163 ISO/IEC 9798-3 Authentication SASL Mechanism August 2001
1. Introduction
1.1. Overview
This document defines a SASL [RFC 2222] authentication mechanism based
on ISO/IEC 9798-3 [ISO3] and FIPS PUB 196 [FIPS] entity
authentication.
This mechanism only provides authentication using X.509 certificates
[X509]. It has no effect on the protocol encodings and does not
provide integrity or confidentiality services.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC 2119].
The key benefit of asymmetric (public key) security, is that the
secret (private key) only needs to be placed with the entity that is
being authenticated. Thus, a private key can be issued to a client,
which can then be authenticated by ANY server based on a token
generated by the client and the generally available public key.
Symmetric authentication mechanisms (password mechanisms such as
CRAM-MD5 [RFC 2195]) require a shared secret, and the need to maintain
it at both endpoints. This means that a secret key for the client
needs to be maintained at every server that may need to authenticate
the client.
The service described in this memo provides authentication only.
There are a number of places where an authentication only service is
useful, e.g., where confidentiality and integrity are provided by
lower layers, or where confidentiality or integrity services are
provided by the application.
1.2. Relationship to TLS
The functionality defined here can be provided by TLS, and it is
important to consider why it is useful to have it in both places.
There are several reasons for this, e.g.:
- Simplicity. This mechanism is simpler than TLS. If there is
only a requirement for this functionality (as distinct from all
of TLS), this simplicity will facilitate deployment.
- Layering. The SASL mechanism to establish authentication works
cleanly with most protocols. This mechanism can fit more
cleanly than TLS for some protocols.
Zuccherato & Nystrom Experimental