1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
|
NETWORK WORKING GROUP N. Williams
Internet-Draft Sun
Expires: April 19, 2006 October 16, 2005
Stackable Generic Security Service Pseudo-Mechanisms
draft-ietf-kitten-stackable-pseudo-mechs-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 19, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document defines and formalizes the concept of stackable pseudo-
mechanisms, and associated concept of composite mechanisms, for the
Generic Security Service Application Programming Interface (GSS-API),
as well as several utility functions.
Stackable GSS-API pseudo-mechanisms allow for the composition of new
mechanisms that combine features from multiple mechanisms. Stackable
mechanisms that add support for Perfect Forward Security (PFS), data
compression, additional authentication factors, etc... are
Williams Expires April 19, 2006 [Page 1]
�
Internet-Draft Stackable GSS Mechs October 2005
facilitated by this document.
Table of Contents
1. Conventions used in this document . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Mechanism Composition Issues . . . . . . . . . . . . . . . 4
4. Mechanism Composition . . . . . . . . . . . . . . . . . . 5
4.1. Construction of Composed Mechanism OIDs . . . . . . . . . 5
4.2. Mechanism Composition Rules . . . . . . . . . . . . . . . 6
4.3. Interfacing with Composite Mechanisms . . . . . . . . . . 7
4.4. Compatibility with the Basic GSS-APIv2u1 Interfaces . . . 7
4.5. Processing of Tokens for Composite Mechanisms . . . . . . 8
5. New GSS-API Interfaces . . . . . . . . . . . . . . . . . . 8
5.1. New GSS-API Function Interfaces . . . . . . . . . . . . . 9
5.1.1. GSS_Compose_oid() . . . . . . . . . . . . . . . . . . . . 9
5.1.2. GSS_Decompose_oid() . . . . . . . . . . . . . . . . . . . 10
5.1.3. GSS_Release_oid() . . . . . . . . . . . . . . . . . . . . 10
5.1.4. GSS_Indicate_negotiable_mechs() . . . . . . . . . . . . . 11
5.1.5. GSS_Negotiate_mechs() . . . . . . . . . . . . . . . . . . 12
5.1.6. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 12
6. Negotiation of Composite Mechanisms . . . . . . . . . . . 13
6.1. Negotiation of Composite Mechanisms Through SPNEGO . . . . 14
7. Requirements for Mechanism Designers . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . 14
9. Security considerations . . . . . . . . . . . . . . . . . 14
10. Normative . . . . . . . . . . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . 16
Intellectual Property and Copyright Statements . . . . . . 17
Williams Expires April 19, 2006 [Page 2]
�
Internet-Draft Stackable GSS Mechs October 2005
1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Introduction
Recent discussions within the IETF have shown the need for a
refactoring of the features that GSS-API mechanisms may provide and a
way to compose new mechanisms from smaller components.
One way to do this is to "stack" multiple mechanisms on top of each
other such that the features of all of them are summed into a new,
composite mechanism.
One existing GSS-API mechanism, LIPKEY [LIPKEY], is essentially
stacked over another, SPKM-3 [LIPKEY] (although LIPKEY does not
conform to the stackable pseduo-mechanism framework described
herein).
The first truly stackable pseudo-mechanism proposed, CCM [CCM], is
intended for signalling, during negotiation of mechanisms, the
willingness of an initiator and/or acceptor to utilize channel
bindings
Since then other similar mechanism compositing needs and ideas have
come up, along with problems such as "what combinations are possible,
useful, reasonable and secure?" This document addresses those
problems. It introduces the concepts of stackable pseudo-mechanisms,
composite mechanisms and mechanism features or attributes, as well as
new inquiry and related interfaces to help in the mechanism
compositing.
(Mechanism features are more formally referred to as "mechanism
attributes" below. The terms "feature" and mechanism attribute" are
sometimes used interchangeably.)
2.1. Glossary
Concrete GSS-API mechanism
A mechanism which can be used standalone. Examples include: the
Kerberos V mechanism [CFX], SPKM-1/2 [SPKM] and SPKM-3 [LIPKEY].
GSS-API Pseudo-mechanism
A mechanism which uses other mechanisms in the construction of its
context and/or per-message tokens and security contexts. SPNEGO
Williams Expires April 19, 2006 [Page 3]
�
Internet-Draft Stackable GSS Mechs October 2005
is an example of this.
Stackable GSS-API pseudo-mechanism
A mechanism which uses a single other mechanism in the
construction of its tokens such that the OID of the composite
result can be constructed by prepending the OID of the stackable
pseudo-mechanism to the OID of the mechanism to be used by it.
Mechanism-negotiation GSS-API pseudo-mechanism
A GSS-API mechanism that negotiates the use of GSS-API mechanisms.
SPNEGO [SPNEGO] is an example of this.
3. Mechanism Composition Issues
Interfacing with composite mechanisms through the existing GSS-API
interfaces and the handling of composite mechanism tokens is
straightforward enough and described in Section 4.
However, the concepts of stackable and composite mechanisms do give
rise to several minor problems:
o How to determine allowable combinations of mechanisms;
o How to encode composite mechanism OIDs;
o How to decompose the OID of a composite mechanism and process its
tokens properly;
o Application interfacing issues such as:
* Whether and/or which composite mechanisms should be listed by
GSS_Indicate_mechs();
* Whether and/or which composite mechanisms not listed by
GSS_Indicate_mechs() may nonetheless be available for use by
applications and how applications can detect their
availability;
* What additional, if any, interfaces should be provided to help
applications select appropriate mechanisms;
o
Mechanism negotiation issues (related to the application interface
issues listed above), such as: vspace blankLines='1'/>
* Should applications advertise composite mechanisms in SPNEGO or
other application-specific mechanism negotiation contexts?
* Or should applications implicitly advertise composite
mechanisms by advertising concrete and stackable pseudo-
mechanisms in SPNEGO or other application-specific mechanism
negotiation contexts?
Section 4 addresses the OID composition, decomposition and encoding
Williams Expires April 19, 2006 [Page 4]
�
Internet-Draft Stackable GSS Mechs October 2005
issues, as well as basic interfacing and token handling issues.
Section 5 addresses interfacing issues more generally through the
specification of additional, optional APIs.
Section 6 addresses mechanism negotiation issues.
4. Mechanism Composition
Mechanism composition by stacking pseudo-mechanisms on a concrete
mechanism is conceptually simple: join the OIDs of the several
mechanisms in question and process GSS-API tokens and routine calls
through the top-most pseudo-mechanism in a stack, which can then, if
necessary, recursively call the GSS-API to process any tokens for the
remainder of the stack.
Some stackable pseudo-mechanisms may do nothing more than perform
transformations on application data (e.g., compression); such pseudo-
mechanisms will generally chain the processing of tokens and routine
calls to the mechanisms below them in the stack.
Other stackable pseudo-mechanisms may utilize the mechanisms below
them only during security context setup. For example, a stackable
pseudo-mechanism could perform a Diffie-Hellman key exchange and
authenticate it by binding a security context established with the
mechanism stacked below it; such a mechanism would provide its own
per-message tokens.
4.1. Construction of Composed Mechanism OIDs
Composition of mechanism OIDs is simple: prepend the OID of one
pseudo-mechanism to the OID of another mechanism (composite or
otherwise), but there MUST always be at least one final mechanism OID
and it MUST be useful standalone (i.e., it MUST NOT be a pseudo-
mechanism). A composite mechanism OID forms, essentially, a stack.
The encoding of composed mechanism OIDs is not quite the
concatenation of the component OIDs' encodings, however. This is
because the first two arcs of ASN.1 OIDs are encoded differently from
subsequent arcs (the first two arcs have a limited namespace and are
encoded as a single octet), so were composite mechanism OIDs to be
encoded as the concatenation of the component OIDs the result would
not decode as the concatenation of the component OIDs. To avoid this
problem the first two arcs of each component of a composite mechanism
OID, other than the leading component, will be encoded as other arcs
would.
Williams Expires April 19, 2006 [Page 5]
�
Internet-Draft Stackable GSS Mechs October 2005
Decomposition of composite mechanism OIDs is similar, with each
pseudo-mechanism in the stack being able to determine the OID suffix
from knowledge of its own OID(s).
New pseudo-mechanisms MAY be allocated OIDs from the prefix given
below as follows by assignment of a sub-string of OID arcs to be
appended to this prefix. This prefix OID is:
<TBD> [1.3.6.1.5.5.11 appears to be available, registration w/ IANA
TBD]
All OID allocations below this OID MUST be for stackable pseudo-
mechanisms and MUST consist of a single arc. This will make it
possible to decompose the OIDs of composite mechanisms without
necessarily knowing a priori the OIDs of the component stackable
pseudo-mechanisms.
4.2. Mechanism Composition Rules
All new stackable pseudo-mechanisms MUST specify the rules for
determining whether they can stack above a given mechanism, composite
or otherwise. Such rules may be based on specific mechanism
attribute OID sets [EXTENDED-INQUIRY] and/or specific mechanism OIDs
(composite and otherwise).
All stackable pseudo-mechanisms MUST have the following mechanism
composition rule relating to unknown mechanism attributes:
o composition with mechanisms supporting unknown mechanism
attributes MUST NOT be permitted.
This rule protects against compositions which cannot be considered
today but which might nonetheless arise due to the introduction of
new mechanisms and which might turn out to be insecure or otherwise
undesirable.
Mechanism composition rules for stackable pseudo-mechanisms MAY and
SHOULD be updated as new GSS-API mechanism attributes and mechanisms
sporting them are introduced. The specifications of mechanisms that
introduce new mechanism attributes or which otherwise should not be
combined with others in ways which would be permitted under existing
rules SHOULD also update the mechanism composition rules of affected
pseudo-mechanisms.
A RECOMMENDED way to describe the stacking rules for stackable
mechanisms is as an ordered sequence of "MAY stack above X
mechanism," "REQUIRES Y mechanism feature(s)," "MUST NOT stack above
Z mechanism," and/or "MUST NOT stack above a mechanism with Z
Williams Expires April 19, 2006 [Page 6]
�
Internet-Draft Stackable GSS Mechs October 2005
mechanism feature(s)."
For example a stackable mechanism that provides its own per-msg
tokens and does not use the underlying mechnism's per-msg token
facilities might require a rule such as "MUST NOT stack above a
mechanism with the GSS_C_MA_COMPRESS mechanism feature."
4.3. Interfacing with Composite Mechanisms
The basic GSS-API [RFC2743] interfaces MUST NOT accept as input or
provide as output the OID of any stackable pseudo-mechanism.
Composite mechanisms MUST be treated as concrete mechanisms by the
basic GSS-API interfaces [RFC2743].
Thus the way in which a composite mechanism is used by applications
with the basic GSS-API (version 2, update 1) is straightforward:
exactly as if composite mechanisms were normal GSS-API mechanisms.
This is facilitated by the fact that in all cases where the GSS-API
implementation might need to know how to process or create a token it
has the necessary contextual information, that is, the mechanism OID,
available and can decompose composite mechanism OIDs as necessary.
For example, for initial GSS_Init_sec_context() calls the
implementation knows the desired mechanism OID, and if it should be
left unspecified, it can pick a default mechanism given the initiator
credentials provided by the application (and if none are provided
other default mechanism and credential selections can still be made).
For subsequent calls to GSS_Init_sec_context() the implementation
knows which mechanism to use from the given [partially established]
security context. Similarly for GSS_Accept_sec_context, where on
initial calls the mechanism OID can be determined from the given
initial context token's framing.
The manner in which GSS-API implementations and the various
mechanisms and pseudo-mechanisms interface with one another is left
as an excercise to implementors.
4.4. Compatibility with the Basic GSS-APIv2u1 Interfaces
In order to preserve backwards compatibility with applications that
use only the basic GSS-API interfaces (version 2, update 1), several
restrictions are imposed on the use of composite and stackable
pseduo-mechanisms with the basic GSS-API interfaces:
o GSS_Indicate_mechs() MUST NOT indicate support for any stackable
pseduo-mechanisms under any circumstance.
o GSS_Indicate_mechs() MAY indicate support for some, all or none of
Williams Expires April 19, 2006 [Page 7]
�
Internet-Draft Stackable GSS Mechs October 2005
the available composite mechanisms.
o Which composite mechanisms, if any, are indicated through
GSS_Indicate_mechs() SHOULD be configurable.
o Composite mechanisms which are not indicated by
GSS_Indicate_mechs() MUST NOT be considered as the default
mechanism (GSS_C_NULL_OID) or as part of the default mechanism set
(GSS_C_NULL_OID_SET).
o The OIDs of *stackable* (not composite) pseudo-mechanisms MUST NOT
be accepted as inputs or produced in the output of any of the
basic GSS-APIv2, update 1 API functions, except for any OID set
construction/iteration functions. And, if present in any OID SET
input parameters of GSS-APIv2, update 1 functions, they MUST be
ignored.
o The OIDs of *stackable* (not composite) pseudo-mechanisms MAY only
be used as inputs or produced as outputs of functions whose
specification explicitly allows for them or which are concerned
with the creation/iteration of OID containters, such as OID SETs.
4.5. Processing of Tokens for Composite Mechanisms
The initial context token for any standard mechanism, including
mechanisms composited from standard pseudo- and concrete mechanisms,
MUST be encapsulated as described in section 3.1 of rfc2743
[RFC2743], and the OID used in that framing MUST be that of the
mechanism, but in the case of composite mechanisms this OID MUST be
the OID of the leading component of the composite mechanism.
Note that this has implications for pluggable multi-mechanism
implementations of the GSS-API, namely that acceptors must route
initial context tokens to the appropriate mechanism and they must
allow that mechanism to determine the composite mechanism OID (such
as by allowing that mechanism's GSS_Accept_sec_context() to output
the actual mechanism to the application.
In all other cases the mechanism that produced or is to produce a
given token can be determined internally through the given security
context.
5. New GSS-API Interfaces
...
Utility functions for mechanism OID composition and decomposition are
given in sections 5.1.1, 5.1.2 and 5.1.3.
Two utility functions, GSS_Indicate_negotiable_mechs() and
GSS_Negotiate_mechs(), to aid applications in mechanism negotiation
Williams Expires April 19, 2006 [Page 8]
�
Internet-Draft Stackable GSS Mechs October 2005
are described in sections 5.1.4 and 5.1.5. These two interfaces may
be implemented entirely in terms of the other interfaces described
herein.
5.1. New GSS-API Function Interfaces
Several new interfaces are given by which, for example, GSS-API
applications may determine what features are provided by a given
mechanism, what mechanisms provide what features and what
compositions are legal.
These new interfaces are all OPTIONAL.
In order to preserve backwards compatibility with applications that
do not use the new interfaces GSS_Indicate_mechs() MUST NOT indicate
support for any stackable pseduo-mechanisms. GSS_Indicate_mechs()
MAY indicate support for some, all or none of the available composite
mechanisms; which composite mechanisms, if any, are indicated through
GSS_Indicate_mechs() SHOULD be configurable. GSS_Acquire_cred() and
GSS_Add_cred() MUST NOT create credentials for composite mechanisms
not explicitly requested or, if no desired mechanism or mechanisms
are given, for composite mechanisms not indicated by
GSS_Indicate_mechs().
Applications SHOULD use GSS_Indicate_mechs_by_mech_attrs() instead of
GSS_Indicate_mechs() wherever possible.
Applications can use GSS_Indicate_mechs_by_mech_attrs() to determine
what, if any, mechanisms provide a given set of features.
GSS_Indicate_mechs_by_mech_attrs() can also be used to indicate (as
in GSS_Indicate_mechs()) the set of available mechanisms of each type
(concrete, mechanism negotiation pseudo-mechanism, stackable pseudo-
mechanism and composite mechanisms).
Applications may use GSS_Inquire_mech_attrs_for_mech() to test
whether a given composite mechanism is available and the set of
features that it offers.
GSS_Negotiate_mechs() may be used to negotiate the use of mechanisms
such that composite mechanisms need not be advertised but instead be
implied by offering stackable pseudo-mechanisms.
5.1.1. GSS_Compose_oid()
Inputs:
o mech1 OBJECT IDENTIFIER, -- mechanism OID
o mech2 OBJECT IDENTIFIER -- mechanism OID
Williams Expires April 19, 2006 [Page 9]
�
Internet-Draft Stackable GSS Mechs October 2005
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o composite OBJECT IDENTIFIER -- OID composition of mech1 with mech2
({mech1 mech2})
Return major_status codes:
o GSS_S_COMPLETE indicates success.
o GSS_S_BAD_MECH indicates that mech1 is not supported.
o GSS_S_FAILURE indicates that the request failed for some other
reason. The minor status will be specific to mech1 and may
provide further information.
5.1.2. GSS_Decompose_oid()
Inputs:
o input_mech OBJECT IDENTIFIER, -- mechanism OID.
o mechs SET OF OBJECT IDENTIFIER -- mechanism OIDs (if
GSS_C_NULL_OID_SET defaults to the set of stackable pseudo-
mechanism OIDs indicated by GSS_Indicate_mechs_by_mech_attrs()).
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o lead_mech OBJECT IDENTIFIER, -- leading stackable pseudo-
mechanism OID.
o trail_mech OBJECT IDENTIFIER -- input_mech with lead_mech removed
from the front.
Return major_status codes:
o GSS_S_COMPLETE indicates success.
o GSS_S_BAD_MECH indicates that the input_mech could not be
decomposed as no stackable pseudo-mechanism is available whose OID
is a prefix of the input_mech.
o GSS_S_FAILURE indicates that the request failed for some other
reason.
5.1.3. GSS_Release_oid()
The following text is adapted from the obsoleted rfc2078 [RFC2078].
Inputs:
o oid OBJECT IDENTIFIER
Outputs:
o major_status INTEGER,
o minor_status INTEGER
Williams Expires April 19, 2006 [Page 10]
�
Internet-Draft Stackable GSS Mechs October 2005
Return major_status codes:
o GSS_S_COMPLETE indicates successful completion
o GSS_S_FAILURE indicates that the operation failed
Allows the caller to release the storage associated with an OBJECT
IDENTIFIER buffer allocated by another GSS-API call, specifically
GSS_Compose_oid() and GSS_Decompose_oid(). This call's specific
behavior depends on the language and programming environment within
which a GSS-API implementation operates, and is therefore detailed
within applicable bindings specifications; in particular, this call
may be superfluous within bindings where memory management is
automatic.
5.1.4. GSS_Indicate_negotiable_mechs()
Inputs:
o input_cred_handle CREDENTIAL HANDLE, -- credential handle to be
used with GSS_Init_sec_context(); may be GSS_C_NO_CREDENTIAL.
o peer_type_known BOOLEAN, -- indicates whether the peer is known to
support or not supprot the stackable pseudo-mechanism framework.
o peer_has_mech_stacking BOOLEAN -- indicates whether the peer
supports the stackable pseudo-mechanism framework; ignore if
peer_type_known is FALSE.
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o offer_mechs SET OF OBJECT IDENTIFIER, -- mechanisms to offer.
Return major_status codes:
o GSS_S_COMPLETE indicates success.
o GSS_S_NO_CREDENTIAL indicates that the caller's credentials are
expired or, if input_cred_handle is GSS_C_NO_CREDENTIAL, that no
credentials could be acquired for GSS_C_NO_NAME.
o GSS_S_FAILURE indicates that the request failed for some other
reason.
This function produces a set of mechanism OIDs, optimized for space,
that its caller should advertise to peers during mechanism
negotiation.
The output offer_mechs parameter will include all of the mechanisms
for which the input_cred_handle has elements (as indicated by
GSS_Inquire_cred()), but composite mechanisms will be included either
implicitly or implicitly as per the following rules:
o if peer_type_known is TRUE and peer_has_mech_stacking is FALSE
then no composite mechanisms not indicated by GSS_Indicate_mechs()
will be advertised, explictly or implicitly;
Williams Expires April 19, 2006 [Page 11]
�
Internet-Draft Stackable GSS Mechs October 2005
o if peer_type_known is FALSE then all composite mechanisms
indicated by GSS_Indicate_mechs() for which input_cred_handle has
elements will be indicated in offer_mechs explicitly and all
others may be indicated in offer_mechs implicitly, by including
their component stackable pseduo-mechanism OIDs (see below);
o if peer_type_known is TRUE and peer_has_mech_stacking is TRUE
composite mechanisms will generally not be advertised explicitly,
but will be advertised implicitly, by including their component
stackable pseduo-mechanism OIDs (see below); no composite
mechanisms will be advertised explicitly
o if the input_cred_handle does not have elements for all of the
possible composite mechanisms that could be constructed from the
its elements' decomposed mechanisms, then all composite mechanisms
for which the input_cred_handle does have elements will be
advertised explicitly in offer_mechs.
5.1.5. GSS_Negotiate_mechs()
Inputs:
o input_credential_handle CREDENTIAL HANDLE, -- mechanisms offered
by the caller.
o peer_mechs SET OF OBJECT IDENTIFIER -- mechanisms offered by the
caller's peer.
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o mechs SET OF OBJECT IDENTIFIER -- mechanisms common to the
caller's credentials and the caller's peer.
Return major_status codes:
o GSS_S_COMPLETE indicates success; the output mechs parameter MAY
be the empty set (GSS_C_NO_OID_SET).
o GSS_S_NO_CREDENTIAL indicates that the caller's credentials are
expired or, if input_cred_handle is GSS_C_NO_CREDENTIAL, that no
credentials could be acquired for GSS_C_NO_NAME.
o GSS_S_FAILURE indicates that the request failed for some other
reason.
This function matches the mechanisms for which the caller has
credentials with the mechanisms offered by the caller's peer and
returns the set of mechanisms in common to both, accounting for any
composite mechanisms offered by the peer implicitly.
5.1.6. C-Bindings
OM_uint32 gss_compose_oid(
Williams Expires April 19, 2006 [Page 12]
�
Internet-Draft Stackable GSS Mechs October 2005
OM_uint32 *minor_status,
const gss_OID mech1,
const gss_OID mech2,
gss_OID *composite);
OM_uint32 gss_decompose_oid(
OM_uint32 *minor_status,
const gss_OID input_mech,
const gss_OID_set mechs,
gss_OID *lead_mech,
gss_OID *trail_mech);
OM_uint32 gss_release_oid(
OM_uint32 *minor_status,
gss_OID *oid);
OM_uint32 gss_indicate_negotiable_mechs(
OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
OM_uint32 peer_type_known,
OM_uint32 peer_has_mech_stacking,
gss_OID_set *offer_mechs);
OM_uint32 gss_negotiate_mechs(
OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_OID_set peer_mechs,
const gss_OID_set *mechs);
Figure 1
6. Negotiation of Composite Mechanisms
Where GSS-API implementations do not support the stackable mechanism
framework interfaces applications may only negotiate explicitly from
a set of concrete and composite mechanism OIDs as indicated by
GSS_Indicate_mechs() and for which suitable credentials are
available. GSS_Indicate_mechs(), as described in Section 4.4, MUST
NOT indicate support for individual stackable pseudo-mechanisms, so
there will not be any composite mechanisms implied but not explicitly
offered in the mechanism negotiation.
Applications that support the stackable mechanism framework SHOULD
use GSS_Indicate_negotiable_mechs() to construct the set of mechanism
OIDs to offer to their peers. GSS_Indicate_negotiable_mechs()
optimizes for bandwidth consumption by using decomposed OIDs instead
Williams Expires April 19, 2006 [Page 13]
�
Internet-Draft Stackable GSS Mechs October 2005
of composed OIDs, where possible. See Section 5.1.4.
Peers that support the stackable mechanism framework interfaces
SHOULD use GSS_Negotiate_mechs() to select a mechanism as that
routine accounts for composite mechanisms implicit in the mechanism
offers.
6.1. Negotiation of Composite Mechanisms Through SPNEGO
SPNEGO applications MUST advertise either the set of mechanism OIDs
for which they have suitable credentials or the set of mechanism OIDs
produced by calling GSS_Indicate_negotiable_mechs() with the
available credentials and the peer_type_known parameter as FALSE.
7. Requirements for Mechanism Designers
Stackable pseudo-mechanisms specifications MUST:
o list the set of GSS-API mechanism attributes associated with them
o list their initial mechanism composition rules
o specify a mechanism for updating their mechanism composition rules
All other mechanism specifications MUST:
o list the set of GSS-API mechanism attributes associated with them
8. IANA Considerations
Allocation of arcs in the namespace of OIDs relative to the base
stackable pseduo-mechanism OID specified in Section 4.1 is reserved
to the IANA.
9. Security considerations
Some composite mechanisms may well not be secure. The mechanism
composition rules of pseudo-mechanisms (including the default
composition rule given in Section 4 for unknown mechanism attributes)
should be used to prevent the use of unsafe composite mechanisms.
Designers of pseudo-mechanisms should study the possible combinations
of their mechanisms with others and design mechanism composition
rules accordingly.
Similarly, pseudo-mechanism designers MUST specify, and implementors
MUST implement, composite mechanism attribute set determination rules
appropriate to the subject pseduo-mechanism, as described in section
4.2. Failure to do so may lead to inappropriate composite mechanisms
Williams Expires April 19, 2006 [Page 14]
�
Internet-Draft Stackable GSS Mechs October 2005
being deemed permissible by programmatic application of flawed
mechanism composition rules or to by their application with incorrect
mechanism attribute sets.
10. Normative
[EXTENDED-INQUIRY]
Williams, N., "Extended Generic Security Service Mechanism
Inquiry APIs",
draft-ietf-kitten-extended-mech-inquiry-00.txt (work in
progress).
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000.
Williams Expires April 19, 2006 [Page 15]
�
Internet-Draft Stackable GSS Mechs October 2005
Author's Address
Nicolas Williams
Sun Microsystems
5300 Riata Trace Ct
Austin, TX 78727
US
Email: Nicolas.Williams@sun.com
Williams Expires April 19, 2006 [Page 16]
�
Internet-Draft Stackable GSS Mechs October 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Williams Expires April 19, 2006 [Page 17]
�
|
