RFC 2478 (rfc2478) - Page 1 of 18
The Simple and Protected GSS-API Negotiation Mechanism
Alternative Format: Original Text Document
Network Working Group E. Baize
Request for Comments: 2478 D. Pinkas
Category: Standards Track Bull
December 1998
The Simple and Protected GSS-API Negotiation Mechanism
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
1. ABSTRACT
This document specifies a Security Negotiation Mechanism for the
Generic Security Service Application Program Interface (GSS-API)
which is described in [1].
The GSS-API provides a generic interface which can be layered atop
different security mechanisms such that if communicating peers
acquire GSS-API credentials for the same security mechanism, then a
security context may be established between them (subject to policy).
However, GSS-API doesn't prescribe the method by which GSS-API peers
can establish whether they have a common security mechanism.
The Simple and Protected GSS-API Negotiation Mechanism defined here
is a pseudo-security mechanism, represented by the object identifier
iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) which
enables GSS-API peers to determine in-band whether their credentials
share common GSS-API security mechanism(s), and if so, to invoke
normal security context establishment for a selected common security
mechanism. This is most useful for applications that are based on
GSS-API implementations which support multiple security mechanisms.
This allows to negotiate different security mechanisms, different
options within a given security mechanism or different options from
several security mechanisms.
Baize & Pinkas Standards Track