summaryrefslogtreecommitdiff
path: root/source4/heimdal/doc/standardisation/draft-ietf-kitten-stackable-pseudo-mechs-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/doc/standardisation/draft-ietf-kitten-stackable-pseudo-mechs-01.txt')
-rw-r--r--source4/heimdal/doc/standardisation/draft-ietf-kitten-stackable-pseudo-mechs-01.txt953
1 files changed, 953 insertions, 0 deletions
diff --git a/source4/heimdal/doc/standardisation/draft-ietf-kitten-stackable-pseudo-mechs-01.txt b/source4/heimdal/doc/standardisation/draft-ietf-kitten-stackable-pseudo-mechs-01.txt
new file mode 100644
index 00000000000..c3c49e6d69d
--- /dev/null
+++ b/source4/heimdal/doc/standardisation/draft-ietf-kitten-stackable-pseudo-mechs-01.txt
@@ -0,0 +1,953 @@
+
+
+
+NETWORK WORKING GROUP N. Williams
+Internet-Draft Sun
+Expires: April 19, 2006 October 16, 2005
+
+
+ Stackable Generic Security Service Pseudo-Mechanisms
+ draft-ietf-kitten-stackable-pseudo-mechs-01.txt
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on April 19, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2005).
+
+Abstract
+
+ This document defines and formalizes the concept of stackable pseudo-
+ mechanisms, and associated concept of composite mechanisms, for the
+ Generic Security Service Application Programming Interface (GSS-API),
+ as well as several utility functions.
+
+ Stackable GSS-API pseudo-mechanisms allow for the composition of new
+ mechanisms that combine features from multiple mechanisms. Stackable
+ mechanisms that add support for Perfect Forward Security (PFS), data
+ compression, additional authentication factors, etc... are
+
+
+
+Williams Expires April 19, 2006 [Page 1]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ facilitated by this document.
+
+
+Table of Contents
+
+ 1. Conventions used in this document . . . . . . . . . . . . 3
+ 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2.1. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. Mechanism Composition Issues . . . . . . . . . . . . . . . 4
+ 4. Mechanism Composition . . . . . . . . . . . . . . . . . . 5
+ 4.1. Construction of Composed Mechanism OIDs . . . . . . . . . 5
+ 4.2. Mechanism Composition Rules . . . . . . . . . . . . . . . 6
+ 4.3. Interfacing with Composite Mechanisms . . . . . . . . . . 7
+ 4.4. Compatibility with the Basic GSS-APIv2u1 Interfaces . . . 7
+ 4.5. Processing of Tokens for Composite Mechanisms . . . . . . 8
+ 5. New GSS-API Interfaces . . . . . . . . . . . . . . . . . . 8
+ 5.1. New GSS-API Function Interfaces . . . . . . . . . . . . . 9
+ 5.1.1. GSS_Compose_oid() . . . . . . . . . . . . . . . . . . . . 9
+ 5.1.2. GSS_Decompose_oid() . . . . . . . . . . . . . . . . . . . 10
+ 5.1.3. GSS_Release_oid() . . . . . . . . . . . . . . . . . . . . 10
+ 5.1.4. GSS_Indicate_negotiable_mechs() . . . . . . . . . . . . . 11
+ 5.1.5. GSS_Negotiate_mechs() . . . . . . . . . . . . . . . . . . 12
+ 5.1.6. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 12
+ 6. Negotiation of Composite Mechanisms . . . . . . . . . . . 13
+ 6.1. Negotiation of Composite Mechanisms Through SPNEGO . . . . 14
+ 7. Requirements for Mechanism Designers . . . . . . . . . . . 14
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . 14
+ 9. Security considerations . . . . . . . . . . . . . . . . . 14
+ 10. Normative . . . . . . . . . . . . . . . . . . . . . . . . 15
+ Author's Address . . . . . . . . . . . . . . . . . . . . . 16
+ Intellectual Property and Copyright Statements . . . . . . 17
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 2]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+1. Conventions used in this document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+2. Introduction
+
+ Recent discussions within the IETF have shown the need for a
+ refactoring of the features that GSS-API mechanisms may provide and a
+ way to compose new mechanisms from smaller components.
+
+ One way to do this is to "stack" multiple mechanisms on top of each
+ other such that the features of all of them are summed into a new,
+ composite mechanism.
+
+ One existing GSS-API mechanism, LIPKEY [LIPKEY], is essentially
+ stacked over another, SPKM-3 [LIPKEY] (although LIPKEY does not
+ conform to the stackable pseduo-mechanism framework described
+ herein).
+
+ The first truly stackable pseudo-mechanism proposed, CCM [CCM], is
+ intended for signalling, during negotiation of mechanisms, the
+ willingness of an initiator and/or acceptor to utilize channel
+ bindings
+
+ Since then other similar mechanism compositing needs and ideas have
+ come up, along with problems such as "what combinations are possible,
+ useful, reasonable and secure?" This document addresses those
+ problems. It introduces the concepts of stackable pseudo-mechanisms,
+ composite mechanisms and mechanism features or attributes, as well as
+ new inquiry and related interfaces to help in the mechanism
+ compositing.
+
+ (Mechanism features are more formally referred to as "mechanism
+ attributes" below. The terms "feature" and mechanism attribute" are
+ sometimes used interchangeably.)
+
+2.1. Glossary
+
+ Concrete GSS-API mechanism
+ A mechanism which can be used standalone. Examples include: the
+ Kerberos V mechanism [CFX], SPKM-1/2 [SPKM] and SPKM-3 [LIPKEY].
+
+ GSS-API Pseudo-mechanism
+ A mechanism which uses other mechanisms in the construction of its
+ context and/or per-message tokens and security contexts. SPNEGO
+
+
+
+Williams Expires April 19, 2006 [Page 3]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ is an example of this.
+
+ Stackable GSS-API pseudo-mechanism
+ A mechanism which uses a single other mechanism in the
+ construction of its tokens such that the OID of the composite
+ result can be constructed by prepending the OID of the stackable
+ pseudo-mechanism to the OID of the mechanism to be used by it.
+
+ Mechanism-negotiation GSS-API pseudo-mechanism
+ A GSS-API mechanism that negotiates the use of GSS-API mechanisms.
+ SPNEGO [SPNEGO] is an example of this.
+
+
+3. Mechanism Composition Issues
+
+ Interfacing with composite mechanisms through the existing GSS-API
+ interfaces and the handling of composite mechanism tokens is
+ straightforward enough and described in Section 4.
+
+ However, the concepts of stackable and composite mechanisms do give
+ rise to several minor problems:
+
+ o How to determine allowable combinations of mechanisms;
+ o How to encode composite mechanism OIDs;
+ o How to decompose the OID of a composite mechanism and process its
+ tokens properly;
+ o Application interfacing issues such as:
+
+ * Whether and/or which composite mechanisms should be listed by
+ GSS_Indicate_mechs();
+ * Whether and/or which composite mechanisms not listed by
+ GSS_Indicate_mechs() may nonetheless be available for use by
+ applications and how applications can detect their
+ availability;
+ * What additional, if any, interfaces should be provided to help
+ applications select appropriate mechanisms;
+ o
+
+ Mechanism negotiation issues (related to the application interface
+ issues listed above), such as: vspace blankLines='1'/>
+ * Should applications advertise composite mechanisms in SPNEGO or
+ other application-specific mechanism negotiation contexts?
+ * Or should applications implicitly advertise composite
+ mechanisms by advertising concrete and stackable pseudo-
+ mechanisms in SPNEGO or other application-specific mechanism
+ negotiation contexts?
+
+ Section 4 addresses the OID composition, decomposition and encoding
+
+
+
+Williams Expires April 19, 2006 [Page 4]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ issues, as well as basic interfacing and token handling issues.
+
+ Section 5 addresses interfacing issues more generally through the
+ specification of additional, optional APIs.
+
+ Section 6 addresses mechanism negotiation issues.
+
+
+4. Mechanism Composition
+
+ Mechanism composition by stacking pseudo-mechanisms on a concrete
+ mechanism is conceptually simple: join the OIDs of the several
+ mechanisms in question and process GSS-API tokens and routine calls
+ through the top-most pseudo-mechanism in a stack, which can then, if
+ necessary, recursively call the GSS-API to process any tokens for the
+ remainder of the stack.
+
+ Some stackable pseudo-mechanisms may do nothing more than perform
+ transformations on application data (e.g., compression); such pseudo-
+ mechanisms will generally chain the processing of tokens and routine
+ calls to the mechanisms below them in the stack.
+
+ Other stackable pseudo-mechanisms may utilize the mechanisms below
+ them only during security context setup. For example, a stackable
+ pseudo-mechanism could perform a Diffie-Hellman key exchange and
+ authenticate it by binding a security context established with the
+ mechanism stacked below it; such a mechanism would provide its own
+ per-message tokens.
+
+4.1. Construction of Composed Mechanism OIDs
+
+ Composition of mechanism OIDs is simple: prepend the OID of one
+ pseudo-mechanism to the OID of another mechanism (composite or
+ otherwise), but there MUST always be at least one final mechanism OID
+ and it MUST be useful standalone (i.e., it MUST NOT be a pseudo-
+ mechanism). A composite mechanism OID forms, essentially, a stack.
+
+ The encoding of composed mechanism OIDs is not quite the
+ concatenation of the component OIDs' encodings, however. This is
+ because the first two arcs of ASN.1 OIDs are encoded differently from
+ subsequent arcs (the first two arcs have a limited namespace and are
+ encoded as a single octet), so were composite mechanism OIDs to be
+ encoded as the concatenation of the component OIDs the result would
+ not decode as the concatenation of the component OIDs. To avoid this
+ problem the first two arcs of each component of a composite mechanism
+ OID, other than the leading component, will be encoded as other arcs
+ would.
+
+
+
+
+Williams Expires April 19, 2006 [Page 5]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ Decomposition of composite mechanism OIDs is similar, with each
+ pseudo-mechanism in the stack being able to determine the OID suffix
+ from knowledge of its own OID(s).
+
+ New pseudo-mechanisms MAY be allocated OIDs from the prefix given
+ below as follows by assignment of a sub-string of OID arcs to be
+ appended to this prefix. This prefix OID is:
+
+ <TBD> [1.3.6.1.5.5.11 appears to be available, registration w/ IANA
+ TBD]
+
+ All OID allocations below this OID MUST be for stackable pseudo-
+ mechanisms and MUST consist of a single arc. This will make it
+ possible to decompose the OIDs of composite mechanisms without
+ necessarily knowing a priori the OIDs of the component stackable
+ pseudo-mechanisms.
+
+4.2. Mechanism Composition Rules
+
+ All new stackable pseudo-mechanisms MUST specify the rules for
+ determining whether they can stack above a given mechanism, composite
+ or otherwise. Such rules may be based on specific mechanism
+ attribute OID sets [EXTENDED-INQUIRY] and/or specific mechanism OIDs
+ (composite and otherwise).
+
+ All stackable pseudo-mechanisms MUST have the following mechanism
+ composition rule relating to unknown mechanism attributes:
+
+ o composition with mechanisms supporting unknown mechanism
+ attributes MUST NOT be permitted.
+
+ This rule protects against compositions which cannot be considered
+ today but which might nonetheless arise due to the introduction of
+ new mechanisms and which might turn out to be insecure or otherwise
+ undesirable.
+
+ Mechanism composition rules for stackable pseudo-mechanisms MAY and
+ SHOULD be updated as new GSS-API mechanism attributes and mechanisms
+ sporting them are introduced. The specifications of mechanisms that
+ introduce new mechanism attributes or which otherwise should not be
+ combined with others in ways which would be permitted under existing
+ rules SHOULD also update the mechanism composition rules of affected
+ pseudo-mechanisms.
+
+ A RECOMMENDED way to describe the stacking rules for stackable
+ mechanisms is as an ordered sequence of "MAY stack above X
+ mechanism," "REQUIRES Y mechanism feature(s)," "MUST NOT stack above
+ Z mechanism," and/or "MUST NOT stack above a mechanism with Z
+
+
+
+Williams Expires April 19, 2006 [Page 6]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ mechanism feature(s)."
+
+ For example a stackable mechanism that provides its own per-msg
+ tokens and does not use the underlying mechnism's per-msg token
+ facilities might require a rule such as "MUST NOT stack above a
+ mechanism with the GSS_C_MA_COMPRESS mechanism feature."
+
+4.3. Interfacing with Composite Mechanisms
+
+ The basic GSS-API [RFC2743] interfaces MUST NOT accept as input or
+ provide as output the OID of any stackable pseudo-mechanism.
+ Composite mechanisms MUST be treated as concrete mechanisms by the
+ basic GSS-API interfaces [RFC2743].
+
+ Thus the way in which a composite mechanism is used by applications
+ with the basic GSS-API (version 2, update 1) is straightforward:
+ exactly as if composite mechanisms were normal GSS-API mechanisms.
+
+ This is facilitated by the fact that in all cases where the GSS-API
+ implementation might need to know how to process or create a token it
+ has the necessary contextual information, that is, the mechanism OID,
+ available and can decompose composite mechanism OIDs as necessary.
+
+ For example, for initial GSS_Init_sec_context() calls the
+ implementation knows the desired mechanism OID, and if it should be
+ left unspecified, it can pick a default mechanism given the initiator
+ credentials provided by the application (and if none are provided
+ other default mechanism and credential selections can still be made).
+ For subsequent calls to GSS_Init_sec_context() the implementation
+ knows which mechanism to use from the given [partially established]
+ security context. Similarly for GSS_Accept_sec_context, where on
+ initial calls the mechanism OID can be determined from the given
+ initial context token's framing.
+
+ The manner in which GSS-API implementations and the various
+ mechanisms and pseudo-mechanisms interface with one another is left
+ as an excercise to implementors.
+
+4.4. Compatibility with the Basic GSS-APIv2u1 Interfaces
+
+ In order to preserve backwards compatibility with applications that
+ use only the basic GSS-API interfaces (version 2, update 1), several
+ restrictions are imposed on the use of composite and stackable
+ pseduo-mechanisms with the basic GSS-API interfaces:
+
+ o GSS_Indicate_mechs() MUST NOT indicate support for any stackable
+ pseduo-mechanisms under any circumstance.
+ o GSS_Indicate_mechs() MAY indicate support for some, all or none of
+
+
+
+Williams Expires April 19, 2006 [Page 7]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ the available composite mechanisms.
+ o Which composite mechanisms, if any, are indicated through
+ GSS_Indicate_mechs() SHOULD be configurable.
+ o Composite mechanisms which are not indicated by
+ GSS_Indicate_mechs() MUST NOT be considered as the default
+ mechanism (GSS_C_NULL_OID) or as part of the default mechanism set
+ (GSS_C_NULL_OID_SET).
+ o The OIDs of *stackable* (not composite) pseudo-mechanisms MUST NOT
+ be accepted as inputs or produced in the output of any of the
+ basic GSS-APIv2, update 1 API functions, except for any OID set
+ construction/iteration functions. And, if present in any OID SET
+ input parameters of GSS-APIv2, update 1 functions, they MUST be
+ ignored.
+ o The OIDs of *stackable* (not composite) pseudo-mechanisms MAY only
+ be used as inputs or produced as outputs of functions whose
+ specification explicitly allows for them or which are concerned
+ with the creation/iteration of OID containters, such as OID SETs.
+
+4.5. Processing of Tokens for Composite Mechanisms
+
+ The initial context token for any standard mechanism, including
+ mechanisms composited from standard pseudo- and concrete mechanisms,
+ MUST be encapsulated as described in section 3.1 of rfc2743
+ [RFC2743], and the OID used in that framing MUST be that of the
+ mechanism, but in the case of composite mechanisms this OID MUST be
+ the OID of the leading component of the composite mechanism.
+
+ Note that this has implications for pluggable multi-mechanism
+ implementations of the GSS-API, namely that acceptors must route
+ initial context tokens to the appropriate mechanism and they must
+ allow that mechanism to determine the composite mechanism OID (such
+ as by allowing that mechanism's GSS_Accept_sec_context() to output
+ the actual mechanism to the application.
+
+ In all other cases the mechanism that produced or is to produce a
+ given token can be determined internally through the given security
+ context.
+
+
+5. New GSS-API Interfaces
+
+ ...
+
+ Utility functions for mechanism OID composition and decomposition are
+ given in sections 5.1.1, 5.1.2 and 5.1.3.
+
+ Two utility functions, GSS_Indicate_negotiable_mechs() and
+ GSS_Negotiate_mechs(), to aid applications in mechanism negotiation
+
+
+
+Williams Expires April 19, 2006 [Page 8]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ are described in sections 5.1.4 and 5.1.5. These two interfaces may
+ be implemented entirely in terms of the other interfaces described
+ herein.
+
+5.1. New GSS-API Function Interfaces
+
+ Several new interfaces are given by which, for example, GSS-API
+ applications may determine what features are provided by a given
+ mechanism, what mechanisms provide what features and what
+ compositions are legal.
+
+ These new interfaces are all OPTIONAL.
+
+ In order to preserve backwards compatibility with applications that
+ do not use the new interfaces GSS_Indicate_mechs() MUST NOT indicate
+ support for any stackable pseduo-mechanisms. GSS_Indicate_mechs()
+ MAY indicate support for some, all or none of the available composite
+ mechanisms; which composite mechanisms, if any, are indicated through
+ GSS_Indicate_mechs() SHOULD be configurable. GSS_Acquire_cred() and
+ GSS_Add_cred() MUST NOT create credentials for composite mechanisms
+ not explicitly requested or, if no desired mechanism or mechanisms
+ are given, for composite mechanisms not indicated by
+ GSS_Indicate_mechs().
+
+ Applications SHOULD use GSS_Indicate_mechs_by_mech_attrs() instead of
+ GSS_Indicate_mechs() wherever possible.
+
+ Applications can use GSS_Indicate_mechs_by_mech_attrs() to determine
+ what, if any, mechanisms provide a given set of features.
+
+ GSS_Indicate_mechs_by_mech_attrs() can also be used to indicate (as
+ in GSS_Indicate_mechs()) the set of available mechanisms of each type
+ (concrete, mechanism negotiation pseudo-mechanism, stackable pseudo-
+ mechanism and composite mechanisms).
+
+ Applications may use GSS_Inquire_mech_attrs_for_mech() to test
+ whether a given composite mechanism is available and the set of
+ features that it offers.
+
+ GSS_Negotiate_mechs() may be used to negotiate the use of mechanisms
+ such that composite mechanisms need not be advertised but instead be
+ implied by offering stackable pseudo-mechanisms.
+
+5.1.1. GSS_Compose_oid()
+
+ Inputs:
+ o mech1 OBJECT IDENTIFIER, -- mechanism OID
+ o mech2 OBJECT IDENTIFIER -- mechanism OID
+
+
+
+Williams Expires April 19, 2006 [Page 9]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ Outputs:
+ o major_status INTEGER,
+ o minor_status INTEGER,
+ o composite OBJECT IDENTIFIER -- OID composition of mech1 with mech2
+ ({mech1 mech2})
+
+ Return major_status codes:
+ o GSS_S_COMPLETE indicates success.
+ o GSS_S_BAD_MECH indicates that mech1 is not supported.
+ o GSS_S_FAILURE indicates that the request failed for some other
+ reason. The minor status will be specific to mech1 and may
+ provide further information.
+
+5.1.2. GSS_Decompose_oid()
+
+ Inputs:
+ o input_mech OBJECT IDENTIFIER, -- mechanism OID.
+ o mechs SET OF OBJECT IDENTIFIER -- mechanism OIDs (if
+ GSS_C_NULL_OID_SET defaults to the set of stackable pseudo-
+ mechanism OIDs indicated by GSS_Indicate_mechs_by_mech_attrs()).
+
+ Outputs:
+ o major_status INTEGER,
+ o minor_status INTEGER,
+ o lead_mech OBJECT IDENTIFIER, -- leading stackable pseudo-
+ mechanism OID.
+ o trail_mech OBJECT IDENTIFIER -- input_mech with lead_mech removed
+ from the front.
+
+ Return major_status codes:
+ o GSS_S_COMPLETE indicates success.
+ o GSS_S_BAD_MECH indicates that the input_mech could not be
+ decomposed as no stackable pseudo-mechanism is available whose OID
+ is a prefix of the input_mech.
+ o GSS_S_FAILURE indicates that the request failed for some other
+ reason.
+
+5.1.3. GSS_Release_oid()
+
+ The following text is adapted from the obsoleted rfc2078 [RFC2078].
+
+ Inputs:
+ o oid OBJECT IDENTIFIER
+
+ Outputs:
+ o major_status INTEGER,
+ o minor_status INTEGER
+
+
+
+
+Williams Expires April 19, 2006 [Page 10]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ Return major_status codes:
+ o GSS_S_COMPLETE indicates successful completion
+ o GSS_S_FAILURE indicates that the operation failed
+
+ Allows the caller to release the storage associated with an OBJECT
+ IDENTIFIER buffer allocated by another GSS-API call, specifically
+ GSS_Compose_oid() and GSS_Decompose_oid(). This call's specific
+ behavior depends on the language and programming environment within
+ which a GSS-API implementation operates, and is therefore detailed
+ within applicable bindings specifications; in particular, this call
+ may be superfluous within bindings where memory management is
+ automatic.
+
+5.1.4. GSS_Indicate_negotiable_mechs()
+
+ Inputs:
+ o input_cred_handle CREDENTIAL HANDLE, -- credential handle to be
+ used with GSS_Init_sec_context(); may be GSS_C_NO_CREDENTIAL.
+ o peer_type_known BOOLEAN, -- indicates whether the peer is known to
+ support or not supprot the stackable pseudo-mechanism framework.
+ o peer_has_mech_stacking BOOLEAN -- indicates whether the peer
+ supports the stackable pseudo-mechanism framework; ignore if
+ peer_type_known is FALSE.
+
+ Outputs:
+ o major_status INTEGER,
+ o minor_status INTEGER,
+ o offer_mechs SET OF OBJECT IDENTIFIER, -- mechanisms to offer.
+
+ Return major_status codes:
+ o GSS_S_COMPLETE indicates success.
+ o GSS_S_NO_CREDENTIAL indicates that the caller's credentials are
+ expired or, if input_cred_handle is GSS_C_NO_CREDENTIAL, that no
+ credentials could be acquired for GSS_C_NO_NAME.
+ o GSS_S_FAILURE indicates that the request failed for some other
+ reason.
+
+ This function produces a set of mechanism OIDs, optimized for space,
+ that its caller should advertise to peers during mechanism
+ negotiation.
+
+ The output offer_mechs parameter will include all of the mechanisms
+ for which the input_cred_handle has elements (as indicated by
+ GSS_Inquire_cred()), but composite mechanisms will be included either
+ implicitly or implicitly as per the following rules:
+ o if peer_type_known is TRUE and peer_has_mech_stacking is FALSE
+ then no composite mechanisms not indicated by GSS_Indicate_mechs()
+ will be advertised, explictly or implicitly;
+
+
+
+Williams Expires April 19, 2006 [Page 11]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ o if peer_type_known is FALSE then all composite mechanisms
+ indicated by GSS_Indicate_mechs() for which input_cred_handle has
+ elements will be indicated in offer_mechs explicitly and all
+ others may be indicated in offer_mechs implicitly, by including
+ their component stackable pseduo-mechanism OIDs (see below);
+ o if peer_type_known is TRUE and peer_has_mech_stacking is TRUE
+ composite mechanisms will generally not be advertised explicitly,
+ but will be advertised implicitly, by including their component
+ stackable pseduo-mechanism OIDs (see below); no composite
+ mechanisms will be advertised explicitly
+ o if the input_cred_handle does not have elements for all of the
+ possible composite mechanisms that could be constructed from the
+ its elements' decomposed mechanisms, then all composite mechanisms
+ for which the input_cred_handle does have elements will be
+ advertised explicitly in offer_mechs.
+
+5.1.5. GSS_Negotiate_mechs()
+
+ Inputs:
+ o input_credential_handle CREDENTIAL HANDLE, -- mechanisms offered
+ by the caller.
+ o peer_mechs SET OF OBJECT IDENTIFIER -- mechanisms offered by the
+ caller's peer.
+
+ Outputs:
+ o major_status INTEGER,
+ o minor_status INTEGER,
+ o mechs SET OF OBJECT IDENTIFIER -- mechanisms common to the
+ caller's credentials and the caller's peer.
+
+ Return major_status codes:
+ o GSS_S_COMPLETE indicates success; the output mechs parameter MAY
+ be the empty set (GSS_C_NO_OID_SET).
+ o GSS_S_NO_CREDENTIAL indicates that the caller's credentials are
+ expired or, if input_cred_handle is GSS_C_NO_CREDENTIAL, that no
+ credentials could be acquired for GSS_C_NO_NAME.
+ o GSS_S_FAILURE indicates that the request failed for some other
+ reason.
+
+ This function matches the mechanisms for which the caller has
+ credentials with the mechanisms offered by the caller's peer and
+ returns the set of mechanisms in common to both, accounting for any
+ composite mechanisms offered by the peer implicitly.
+
+5.1.6. C-Bindings
+
+
+ OM_uint32 gss_compose_oid(
+
+
+
+Williams Expires April 19, 2006 [Page 12]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ OM_uint32 *minor_status,
+ const gss_OID mech1,
+ const gss_OID mech2,
+ gss_OID *composite);
+
+ OM_uint32 gss_decompose_oid(
+ OM_uint32 *minor_status,
+ const gss_OID input_mech,
+ const gss_OID_set mechs,
+ gss_OID *lead_mech,
+ gss_OID *trail_mech);
+
+ OM_uint32 gss_release_oid(
+ OM_uint32 *minor_status,
+ gss_OID *oid);
+
+ OM_uint32 gss_indicate_negotiable_mechs(
+ OM_uint32 *minor_status,
+ const gss_cred_id_t input_cred_handle,
+ OM_uint32 peer_type_known,
+ OM_uint32 peer_has_mech_stacking,
+ gss_OID_set *offer_mechs);
+
+ OM_uint32 gss_negotiate_mechs(
+ OM_uint32 *minor_status,
+ const gss_cred_id_t input_cred_handle,
+ const gss_OID_set peer_mechs,
+ const gss_OID_set *mechs);
+
+
+ Figure 1
+
+
+6. Negotiation of Composite Mechanisms
+
+ Where GSS-API implementations do not support the stackable mechanism
+ framework interfaces applications may only negotiate explicitly from
+ a set of concrete and composite mechanism OIDs as indicated by
+ GSS_Indicate_mechs() and for which suitable credentials are
+ available. GSS_Indicate_mechs(), as described in Section 4.4, MUST
+ NOT indicate support for individual stackable pseudo-mechanisms, so
+ there will not be any composite mechanisms implied but not explicitly
+ offered in the mechanism negotiation.
+
+ Applications that support the stackable mechanism framework SHOULD
+ use GSS_Indicate_negotiable_mechs() to construct the set of mechanism
+ OIDs to offer to their peers. GSS_Indicate_negotiable_mechs()
+ optimizes for bandwidth consumption by using decomposed OIDs instead
+
+
+
+Williams Expires April 19, 2006 [Page 13]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ of composed OIDs, where possible. See Section 5.1.4.
+
+ Peers that support the stackable mechanism framework interfaces
+ SHOULD use GSS_Negotiate_mechs() to select a mechanism as that
+ routine accounts for composite mechanisms implicit in the mechanism
+ offers.
+
+6.1. Negotiation of Composite Mechanisms Through SPNEGO
+
+ SPNEGO applications MUST advertise either the set of mechanism OIDs
+ for which they have suitable credentials or the set of mechanism OIDs
+ produced by calling GSS_Indicate_negotiable_mechs() with the
+ available credentials and the peer_type_known parameter as FALSE.
+
+
+7. Requirements for Mechanism Designers
+
+ Stackable pseudo-mechanisms specifications MUST:
+ o list the set of GSS-API mechanism attributes associated with them
+ o list their initial mechanism composition rules
+ o specify a mechanism for updating their mechanism composition rules
+
+ All other mechanism specifications MUST:
+ o list the set of GSS-API mechanism attributes associated with them
+
+
+8. IANA Considerations
+
+ Allocation of arcs in the namespace of OIDs relative to the base
+ stackable pseduo-mechanism OID specified in Section 4.1 is reserved
+ to the IANA.
+
+
+9. Security considerations
+
+ Some composite mechanisms may well not be secure. The mechanism
+ composition rules of pseudo-mechanisms (including the default
+ composition rule given in Section 4 for unknown mechanism attributes)
+ should be used to prevent the use of unsafe composite mechanisms.
+
+ Designers of pseudo-mechanisms should study the possible combinations
+ of their mechanisms with others and design mechanism composition
+ rules accordingly.
+
+ Similarly, pseudo-mechanism designers MUST specify, and implementors
+ MUST implement, composite mechanism attribute set determination rules
+ appropriate to the subject pseduo-mechanism, as described in section
+ 4.2. Failure to do so may lead to inappropriate composite mechanisms
+
+
+
+Williams Expires April 19, 2006 [Page 14]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+ being deemed permissible by programmatic application of flawed
+ mechanism composition rules or to by their application with incorrect
+ mechanism attribute sets.
+
+10. Normative
+
+ [EXTENDED-INQUIRY]
+ Williams, N., "Extended Generic Security Service Mechanism
+ Inquiry APIs",
+ draft-ietf-kitten-extended-mech-inquiry-00.txt (work in
+ progress).
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+ [RFC2744] Wray, J., "Generic Security Service API Version 2 :
+ C-bindings", RFC 2744, January 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 15]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+Author's Address
+
+ Nicolas Williams
+ Sun Microsystems
+ 5300 Riata Trace Ct
+ Austin, TX 78727
+ US
+
+ Email: Nicolas.Williams@sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 16]
+
+Internet-Draft Stackable GSS Mechs October 2005
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2005). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Williams Expires April 19, 2006 [Page 17]
+
+
View Lorry Controller Status