RFC 1964 (rfc1964) - Page 2 of 20
The Kerberos Version 5 GSS-API Mechanism
Alternative Format: Original Text Document
RFC 1964 Kerberos Version 5 GSS-API June 1996
To support ongoing experimentation, testing, and evolution of the
specification, the Kerberos V5 GSS-API mechanism as defined in this
and any successor memos will be identified with the following Object
Identifier, as defined in RFC-1510, until the specification is
advanced to the level of Proposed Standard RFC:
{iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)}
Upon advancement to the level of Proposed Standard RFC, the Kerberos
V5 GSS-API mechanism will be identified by an Object Identifier
having the value:
{iso(1) member-body(2) United States(840) mit(113554) infosys(1)
gssapi(2) krb5(2)}
1.1. Context Establishment Tokens
Per RFC-1508, Appendix B, the initial context establishment token
will be enclosed within framing as follows:
InitialContextToken ::=
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType
-- MechType is OBJECT IDENTIFIER
-- representing "Kerberos V5"
innerContextToken ANY DEFINED BY thisMech
-- contents mechanism-specific;
-- ASN.1 usage within innerContextToken
-- is not required
}
The innerContextToken of the initial context token will consist of a
Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id
(TOK_ID) field, which shall contain the value 01 00.
The above GSS-API framing shall be applied to all tokens emitted by
the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR,
context-deletion, and per-message tokens, not just to the initial
token in a context establishment sequence. While not required by
RFC-1508, this enables implementations to perform enhanced error-
checking. The innerContextToken field of context establishment tokens
for the Kerberos V5 GSS-API mechanism will contain a Kerberos message
(KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
messages and 03 00 for KRB_ERROR messages.
Linn Standards Track