RFC 2478 (rfc2478) - Page 2 of 18
The Simple and Protected GSS-API Negotiation Mechanism
Alternative Format: Original Text Document
RFC 2478 GSS-API Negotiation Mechanism December 1998
Once the common security mechanism is identified, the security
mechanism may also negotiate mechanism-specific options during its
context establishment. This will be inside the mechanism tokens, and
invisible to the SPNEGO protocol.
The simple and protected GSS-API mechanism negotiation is based on
the following negotiation model : the initiator proposes one security
mechanism or an ordered list of security mechanisms, the target
either accepts the proposed security mechanism, or chooses one from
an offered set, or rejects the proposed value(s). The target then
informs the initiator of its choice.
In its basic form this protocol requires an extra-round trip. Network
connection setup is a critical performance characteristic of any
network infrastructure and extra round trips over WAN links, packet
radio networks, etc. really make a difference. In order to avoid such
an extra round trip the initial security token of the preferred
mechanism for the initiator may be embedded in the initial token. If
the target preferred mechanism matches the initiator's preferred
mechanism, no additional round trips are incurred by using the
negotiation protocol.
The simple and protected GSS-API mechanism negotiation provides a
technique to protect the negotiation that must be used when the
underlying mechanism selected by the target is capable of integrity
protection.
When all the mechanisms proposed by the initiator support integrity
protection or when the selected mechanism supports integrity
protection, then the negotiation mechanism becomes protected since
this guarantees that the appropriate mechanism supported by both
peers has been selected.
The Simple and Protected GSS-API Negotiation Mechanism uses the
concepts developed in the GSS-API specification [1]. The negotiation
data is encapsulated in context-level tokens. Therefore, callers of
the GSS-API do not need to be aware of the existence of the
negotiation tokens but only of the new pseudo-security mechanism. A
failure in the negotiation phase causes a major status code to be
returned: GSS_S_BAD_MECH.
Baize & Pinkas Standards Track