RFC 3163 (rfc3163) - Page 2 of 17

ISO/IEC 9798-3 Authentication SASL Mechanism

Alternative Format: Original Text Document
< Previous
Next >
RFC 3163      ISO/IEC 9798-3 Authentication SASL Mechanism   August 2001


1. Introduction

1.1. Overview

   This document defines a SASL [RFC 2222] authentication mechanism based
   on ISO/IEC 9798-3 [ISO3] and FIPS PUB 196 [FIPS] entity
   authentication.

   This mechanism only provides authentication using X.509 certificates
   [X509].  It has no effect on the protocol encodings and does not
   provide integrity or confidentiality services.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC 2119].

   The key benefit of asymmetric (public key) security, is that the
   secret (private key) only needs to be placed with the entity that is
   being authenticated.  Thus, a private key can be issued to a client,
   which can then be authenticated by ANY server based on a token
   generated by the client and the generally available public key.
   Symmetric authentication mechanisms (password mechanisms such as
   CRAM-MD5 [RFC 2195]) require a shared secret, and the need to maintain
   it at both endpoints.  This means that a secret key for the client
   needs to be maintained at every server that may need to authenticate
   the client.

   The service described in this memo provides authentication only.
   There are a number of places where an authentication only service is
   useful, e.g., where confidentiality and integrity are provided by
   lower layers, or where confidentiality or integrity services are
   provided by the application.

1.2. Relationship to TLS

   The functionality defined here can be provided by TLS, and it is
   important to consider why it is useful to have it in both places.
   There are several reasons for this, e.g.:

      -  Simplicity.  This mechanism is simpler than TLS.  If there is
         only a requirement for this functionality (as distinct from all
         of TLS), this simplicity will facilitate deployment.

      -  Layering.  The SASL mechanism to establish authentication works
         cleanly with most protocols.  This mechanism can fit more
         cleanly than TLS for some protocols.





Zuccherato & Nystrom          Experimental
< Previous
Next >