RFC 2744 (rfc2744) - Page 2 of 101
Generic Security Service API Version 2 : C-bindings
Alternative Format: Original Text Document
RFC 2744 GSS-API V2: C-bindings January 2000
1. Introduction
The Generic Security Service Application Programming Interface
[GSSAPI] provides security services to calling applications. It
allows a communicating application to authenticate the user
associated with another application, to delegate rights to another
application, and to apply security services such as confidentiality
and integrity on a per-message basis.
There are four stages to using the GSS-API:
a) The application acquires a set of credentials with which it may
prove its identity to other processes. The application's
credentials vouch for its global identity, which may or may not be
related to any local username under which it may be running.
b) A pair of communicating applications establish a joint security
context using their credentials. The security context is a pair
of GSS-API data structures that contain shared state information,
which is required in order that per-message security services may
be provided. Examples of state that might be shared between
applications as part of a security context are cryptographic keys,
and message sequence numbers. As part of the establishment of a
security context, the context initiator is authenticated to the
responder, and may require that the responder is authenticated in
turn. The initiator may optionally give the responder the right
to initiate further security contexts, acting as an agent or
delegate of the initiator. This transfer of rights is termed
delegation, and is achieved by creating a set of credentials,
similar to those used by the initiating application, but which may
be used by the responder.
To establish and maintain the shared information that makes up the
security context, certain GSS-API calls will return a token data
structure, which is an opaque data type that may contain
cryptographically protected data. The caller of such a GSS-API
routine is responsible for transferring the token to the peer
application, encapsulated if necessary in an application-
application protocol. On receipt of such a token, the peer
application should pass it to a corresponding GSS-API routine
which will decode the token and extract the information, updating
the security context state information accordingly.
Wray Standards Track