RFC 2478 (rfc2478) - Page 1 of 18


The Simple and Protected GSS-API Negotiation Mechanism



Alternative Format: Original Text Document



Network Working Group                                         E. Baize
Request for Comments: 2478                                   D. Pinkas
Category: Standards Track                                         Bull
                                                         December 1998


         The Simple and Protected GSS-API Negotiation Mechanism

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

1.  ABSTRACT

   This document specifies a Security Negotiation Mechanism for the
   Generic Security Service Application Program Interface (GSS-API)
   which is described in [1].

   The GSS-API provides a generic interface which can be layered atop
   different security mechanisms such that if communicating peers
   acquire GSS-API credentials for the same security mechanism, then a
   security context may be established between them (subject to policy).
   However, GSS-API doesn't prescribe the method by which GSS-API peers
   can establish whether they have a common security mechanism.

   The Simple and Protected GSS-API Negotiation Mechanism defined here
   is a pseudo-security mechanism, represented by the object identifier
   iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) which
   enables GSS-API peers to determine in-band whether their credentials
   share common GSS-API security mechanism(s), and if so, to invoke
   normal security context establishment for a selected common security
   mechanism. This is most useful for applications that are based on
   GSS-API implementations which support multiple security mechanisms.

   This allows to negotiate different security mechanisms, different
   options within a given security mechanism or different options from
   several security mechanisms.






Baize & Pinkas              Standards Track