gss-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS gss/doc/specification


From: gss-commit
Subject: CVS gss/doc/specification
Date: Wed, 1 Feb 2006 12:50:08 +0100

Update of /home/cvs/gss/doc/specification
In directory dopio:/tmp/cvs-serv19488/doc/specification

Added Files:
        draft-ietf-kitten-rfc2853bis-01.txt 
Log Message:
Add.


--- /home/cvs/gss/doc/specification/draft-ietf-kitten-rfc2853bis-01.txt 
2006/02/01 11:50:08     NONE
+++ /home/cvs/gss/doc/specification/draft-ietf-kitten-rfc2853bis-01.txt 
2006/02/01 11:50:08     1.1



Network Working Group                                        M. Upadhyay
Internet-Draft                                                    Google
Expires: July 31, 2006                                        S. Malkani
                                                        Sun Microsystems
                                                        January 27, 2006


     Generic Security Service API Version 2 : Java Bindings Update
                  draft-ietf-kitten-rfc2853bis-01.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on July 31, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The Generic Security Services Application Program Interface (GSS-API)
   offers application programmers uniform access to security services
   atop a variety of underlying cryptographic mechanisms.  This document
   updates the Java bindings for the GSS-API that are specified in RFC
   2853 [JGSS].  This document obsoletes RFC 2853 [JGSS] by making
   specific and incremental clarifications and corrections to it in
   response to identification of transcription errors and implementation



Upadhyay & Malkani        Expires July 31, 2006                 [Page 1]

Internet-Draft             Java GSS-API Update              January 2006


   experience.  The only note-worthy changes are in sections 4.12.1,
   6.3.2, and 6.8.1 of RFC 2853 [JGSS], which are replaced by the
   sections 5.12.1, 7.3.2, and 7.8.1 of this document, where numerical
   constants were either added or modified.

   The GSS-API is described at a language independent conceptual level
   in RFC 2743 [GSSAPIv2-UPDATE].  The GSS-API allows a caller
   application to authenticate a principal identity, to delegate rights
   to a peer, and to apply security services such as confidentiality and
   integrity on a per-message basis.  Examples of security mechanisms
   defined for GSS-API are The Simple Public-Key GSS-API Mechanism
   [SPKM] and The Kerberos Version 5 GSS-API Mechanism [KERBV5].

Table of Contents

   1.   Conventions Used in This Document  . . . . . . . . . . . . .   6
   2.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   7
   3.   GSS-API Operational Paradigm . . . . . . . . . . . . . . . .   8
   4.   Additional Controls  . . . . . . . . . . . . . . . . . . . .  10
     4.1  Delegation . . . . . . . . . . . . . . . . . . . . . . . .  11
     4.2  Mutual Authentication  . . . . . . . . . . . . . . . . . .  12
     4.3  Replay and Out-of-Sequence Detection . . . . . . . . . . .  12
     4.4  Anonymous Authentication . . . . . . . . . . . . . . . . .  13
     4.5  Confidentiality  . . . . . . . . . . . . . . . . . . . . .  14
     4.6  Inter-process Context Transfer . . . . . . . . . . . . . .  14
     4.7  The Use of Incomplete Contexts . . . . . . . . . . . . . .  15
   5.   Calling Conventions  . . . . . . . . . . . . . . . . . . . .  16
     5.1  Package Name . . . . . . . . . . . . . . . . . . . . . . .  16
     5.2  Provider Framework . . . . . . . . . . . . . . . . . . . .  16
     5.3  Integer Types  . . . . . . . . . . . . . . . . . . . . . .  17
     5.4  Opaque Data Types  . . . . . . . . . . . . . . . . . . . .  17
     5.5  Strings  . . . . . . . . . . . . . . . . . . . . . . . . .  17
     5.6  Object Identifiers . . . . . . . . . . . . . . . . . . . .  17
     5.7  Object Identifier Sets . . . . . . . . . . . . . . . . . .  18
     5.8  Credentials  . . . . . . . . . . . . . . . . . . . . . . .  18
     5.9  Contexts . . . . . . . . . . . . . . . . . . . . . . . . .  20
     5.10   Authentication Tokens  . . . . . . . . . . . . . . . . .  20
     5.11   Interprocess Tokens  . . . . . . . . . . . . . . . . . .  21
     5.12   Error Reporting  . . . . . . . . . . . . . . . . . . . .  21
       5.12.1   GSS Status Codes . . . . . . . . . . . . . . . . . .  21
       5.12.2   Mechanism-Specific Status Codes  . . . . . . . . . .  24
       5.12.3   Supplementary Status Codes . . . . . . . . . . . . .  24
     5.13   Names  . . . . . . . . . . . . . . . . . . . . . . . . .  25
     5.14   Channel Bindings . . . . . . . . . . . . . . . . . . . .  27
     5.15   Stream Objects . . . . . . . . . . . . . . . . . . . . .  28
     5.16   Optional Parameters  . . . . . . . . . . . . . . . . . .  28
   6.   Introduction to GSS-API Classes and Interfaces . . . . . . .  30
     6.1  GSSManager class . . . . . . . . . . . . . . . . . . . . .  30



Upadhyay & Malkani        Expires July 31, 2006                 [Page 2]

Internet-Draft             Java GSS-API Update              January 2006


     6.2  GSSName interface  . . . . . . . . . . . . . . . . . . . .  31
     6.3  GSSCredential interface  . . . . . . . . . . . . . . . . .  31
     6.4  GSSContext interface . . . . . . . . . . . . . . . . . . .  32
     6.5  MessageProp class  . . . . . . . . . . . . . . . . . . . .  34
     6.6  GSSException class . . . . . . . . . . . . . . . . . . . .  34
     6.7  Oid class  . . . . . . . . . . . . . . . . . . . . . . . .  34
     6.8  ChannelBinding class . . . . . . . . . . . . . . . . . . .  35
   7.   Detailed GSS-API Class Description . . . . . . . . . . . . .  36
     7.1  public abstract class GSSManager . . . . . . . . . . . . .  36
       7.1.1  Example Code . . . . . . . . . . . . . . . . . . . . .  37
       7.1.2  getInstance  . . . . . . . . . . . . . . . . . . . . .  37
       7.1.3  getMechs . . . . . . . . . . . . . . . . . . . . . . .  37
       7.1.4  getNamesForMech  . . . . . . . . . . . . . . . . . . .  38
       7.1.5  getMechsForName  . . . . . . . . . . . . . . . . . . .  38
       7.1.6  createName . . . . . . . . . . . . . . . . . . . . . .  38
       7.1.7  createName . . . . . . . . . . . . . . . . . . . . . .  39
       7.1.8  createName . . . . . . . . . . . . . . . . . . . . . .  39
       7.1.9  createName . . . . . . . . . . . . . . . . . . . . . .  40
       7.1.10   createCredential . . . . . . . . . . . . . . . . . .  40
       7.1.11   createCredential . . . . . . . . . . . . . . . . . .  41
       7.1.12   createCredential . . . . . . . . . . . . . . . . . .  41
       7.1.13   createContext  . . . . . . . . . . . . . . . . . . .  42
       7.1.14   createContext  . . . . . . . . . . . . . . . . . . .  42
       7.1.15   createContext  . . . . . . . . . . . . . . . . . . .  43
       7.1.16   addProviderAtFront . . . . . . . . . . . . . . . . .  43
       7.1.17   Example Code . . . . . . . . . . . . . . . . . . . .  44
       7.1.18   addProviderAtEnd . . . . . . . . . . . . . . . . . .  45
       7.1.19   Example Code . . . . . . . . . . . . . . . . . . . .  45
     7.2  public interface GSSName . . . . . . . . . . . . . . . . .  46
       7.2.1  Example Code . . . . . . . . . . . . . . . . . . . . .  46
       7.2.2  Static Constants . . . . . . . . . . . . . . . . . . .  47
       7.2.3  equals . . . . . . . . . . . . . . . . . . . . . . . .  48
       7.2.4  equals . . . . . . . . . . . . . . . . . . . . . . . .  48
       7.2.5  canonicalize . . . . . . . . . . . . . . . . . . . . .  49
       7.2.6  export . . . . . . . . . . . . . . . . . . . . . . . .  49
       7.2.7  toString . . . . . . . . . . . . . . . . . . . . . . .  49
       7.2.8  getStringNameType  . . . . . . . . . . . . . . . . . .  50
       7.2.9  isAnonymous  . . . . . . . . . . . . . . . . . . . . .  50
       7.2.10   isMN . . . . . . . . . . . . . . . . . . . . . . . .  50
     7.3  public interface GSSCredential implements Cloneable  . . .  50
       7.3.1  Example Code . . . . . . . . . . . . . . . . . . . . .  51
       7.3.2  Static Constants . . . . . . . . . . . . . . . . . . .  52
       7.3.3  dispose  . . . . . . . . . . . . . . . . . . . . . . .  52
       7.3.4  getName  . . . . . . . . . . . . . . . . . . . . . . .  52
       7.3.5  getName  . . . . . . . . . . . . . . . . . . . . . . .  52
       7.3.6  getRemainingLifetime . . . . . . . . . . . . . . . . .  53
       7.3.7  getRemainingInitLifetime . . . . . . . . . . . . . . .  53
       7.3.8  getRemainingAcceptLifetime . . . . . . . . . . . . . .  53



Upadhyay & Malkani        Expires July 31, 2006                 [Page 3]

Internet-Draft             Java GSS-API Update              January 2006


       7.3.9  getUsage . . . . . . . . . . . . . . . . . . . . . . .  54
       7.3.10   getUsage . . . . . . . . . . . . . . . . . . . . . .  54
       7.3.11   getMechs . . . . . . . . . . . . . . . . . . . . . .  54
       7.3.12   add  . . . . . . . . . . . . . . . . . . . . . . . .  54
       7.3.13   equals . . . . . . . . . . . . . . . . . . . . . . .  55
     7.4  public interface GSSContext  . . . . . . . . . . . . . . .  55
       7.4.1  Example Code . . . . . . . . . . . . . . . . . . . . .  56
       7.4.2  Static Constants . . . . . . . . . . . . . . . . . . .  58
       7.4.3  initSecContext . . . . . . . . . . . . . . . . . . . .  58
       7.4.4  Example Code . . . . . . . . . . . . . . . . . . . . .  60
       7.4.5  initSecContext . . . . . . . . . . . . . . . . . . . .  60
       7.4.6  Example Code . . . . . . . . . . . . . . . . . . . . .  61
       7.4.7  acceptSecContext . . . . . . . . . . . . . . . . . . .  62
       7.4.8  Example Code . . . . . . . . . . . . . . . . . . . . .  63
       7.4.9  acceptSecContext . . . . . . . . . . . . . . . . . . .  64
       7.4.10   Example Code . . . . . . . . . . . . . . . . . . . .  64
       7.4.11   isEstablished  . . . . . . . . . . . . . . . . . . .  65
       7.4.12   dispose  . . . . . . . . . . . . . . . . . . . . . .  65
       7.4.13   getWrapSizeLimit . . . . . . . . . . . . . . . . . .  66
       7.4.14   wrap . . . . . . . . . . . . . . . . . . . . . . . .  66
       7.4.15   wrap . . . . . . . . . . . . . . . . . . . . . . . .  67
       7.4.16   unwrap . . . . . . . . . . . . . . . . . . . . . . .  68
       7.4.17   unwrap . . . . . . . . . . . . . . . . . . . . . . .  69
       7.4.18   getMIC . . . . . . . . . . . . . . . . . . . . . . .  70
       7.4.19   getMIC . . . . . . . . . . . . . . . . . . . . . . .  70
       7.4.20   verifyMIC  . . . . . . . . . . . . . . . . . . . . .  71
       7.4.21   verifyMIC  . . . . . . . . . . . . . . . . . . . . .  72
       7.4.22   export . . . . . . . . . . . . . . . . . . . . . . .  72
       7.4.23   requestMutualAuth  . . . . . . . . . . . . . . . . .  73
       7.4.24   requestReplayDet . . . . . . . . . . . . . . . . . .  73
       7.4.25   requestSequenceDet . . . . . . . . . . . . . . . . .  74
       7.4.26   requestCredDeleg . . . . . . . . . . . . . . . . . .  74
       7.4.27   requestAnonymity . . . . . . . . . . . . . . . . . .  74
       7.4.28   requestConf  . . . . . . . . . . . . . . . . . . . .  75
       7.4.29   requestInteg . . . . . . . . . . . . . . . . . . . .  75
       7.4.30   requestLifetime  . . . . . . . . . . . . . . . . . .  75
       7.4.31   setChannelBinding  . . . . . . . . . . . . . . . . .  75
       7.4.32   getCredDelegState  . . . . . . . . . . . . . . . . .  76
       7.4.33   getMutualAuthState . . . . . . . . . . . . . . . . .  76
       7.4.34   getReplayDetState  . . . . . . . . . . . . . . . . .  76
       7.4.35   getSequenceDetState  . . . . . . . . . . . . . . . .  76
       7.4.36   getAnonymityState  . . . . . . . . . . . . . . . . .  77
       7.4.37   isTransferable . . . . . . . . . . . . . . . . . . .  77
       7.4.38   isProtReady  . . . . . . . . . . . . . . . . . . . .  77
       7.4.39   getConfState . . . . . . . . . . . . . . . . . . . .  77
       7.4.40   getIntegState  . . . . . . . . . . . . . . . . . . .  77
       7.4.41   getLifetime  . . . . . . . . . . . . . . . . . . . .  77
       7.4.42   getSrcName . . . . . . . . . . . . . . . . . . . . .  78



Upadhyay & Malkani        Expires July 31, 2006                 [Page 4]

Internet-Draft             Java GSS-API Update              January 2006


       7.4.43   getTargName  . . . . . . . . . . . . . . . . . . . .  78
       7.4.44   getMech  . . . . . . . . . . . . . . . . . . . . . .  78
       7.4.45   getDelegCred . . . . . . . . . . . . . . . . . . . .  78
       7.4.46   isInitiator  . . . . . . . . . . . . . . . . . . . .  78
     7.5  public class MessageProp . . . . . . . . . . . . . . . . .  78
       7.5.1  Constructors . . . . . . . . . . . . . . . . . . . . .  79
       7.5.2  getQOP . . . . . . . . . . . . . . . . . . . . . . . .  79
       7.5.3  getPrivacy . . . . . . . . . . . . . . . . . . . . . .  80
       7.5.4  getMinorStatus . . . . . . . . . . . . . . . . . . . .  80
       7.5.5  getMinorString . . . . . . . . . . . . . . . . . . . .  80
       7.5.6  setQOP . . . . . . . . . . . . . . . . . . . . . . . .  80
       7.5.7  setPrivacy . . . . . . . . . . . . . . . . . . . . . .  80
       7.5.8  isDuplicateToken . . . . . . . . . . . . . . . . . . .  80
       7.5.9  isOldToken . . . . . . . . . . . . . . . . . . . . . .  81
       7.5.10   isUnseqToken . . . . . . . . . . . . . . . . . . . .  81
       7.5.11   isGapToken . . . . . . . . . . . . . . . . . . . . .  81
       7.5.12   setSupplementaryStates . . . . . . . . . . . . . . .  81
     7.6  public class ChannelBinding  . . . . . . . . . . . . . . .  82
       7.6.1  Constructors . . . . . . . . . . . . . . . . . . . . .  82
       7.6.2  getInitiatorAddress  . . . . . . . . . . . . . . . . .  83
       7.6.3  getAcceptorAddress . . . . . . . . . . . . . . . . . .  83
       7.6.4  getApplicationData . . . . . . . . . . . . . . . . . .  83
       7.6.5  equals . . . . . . . . . . . . . . . . . . . . . . . .  83
     7.7  public class Oid . . . . . . . . . . . . . . . . . . . . .  83
       7.7.1  Constructors . . . . . . . . . . . . . . . . . . . . .  84
       7.7.2  toString . . . . . . . . . . . . . . . . . . . . . . .  84
       7.7.3  equals . . . . . . . . . . . . . . . . . . . . . . . .  85
       7.7.4  getDER . . . . . . . . . . . . . . . . . . . . . . . .  85
       7.7.5  containedIn  . . . . . . . . . . . . . . . . . . . . .  85
     7.8  public class GSSException extends Exception  . . . . . . .  85
       7.8.1  Static Constants . . . . . . . . . . . . . . . . . . .  86
       7.8.2  Constructors . . . . . . . . . . . . . . . . . . . . .  88
       7.8.3  getMajor . . . . . . . . . . . . . . . . . . . . . . .  89
       7.8.4  getMinor . . . . . . . . . . . . . . . . . . . . . . .  89
       7.8.5  getMajorString . . . . . . . . . . . . . . . . . . . .  89
       7.8.6  getMinorString . . . . . . . . . . . . . . . . . . . .  89
       7.8.7  setMinor . . . . . . . . . . . . . . . . . . . . . . .  89
       7.8.8  toString . . . . . . . . . . . . . . . . . . . . . . .  89
       7.8.9  getMessage . . . . . . . . . . . . . . . . . . . . . .  90
   8.   Sample Applications  . . . . . . . . . . . . . . . . . . . .  91
     8.1  Simple GSS Context Initiator . . . . . . . . . . . . . . .  91
     8.2  Simple GSS Context Acceptor  . . . . . . . . . . . . . . .  94
   9.   Security Considerations  . . . . . . . . . . . . . . . . . .  99
   10.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . 100
   11.  References . . . . . . . . . . . . . . . . . . . . . . . . . 100
        Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 101
        Intellectual Property and Copyright Statements . . . . . . . 102




Upadhyay & Malkani        Expires July 31, 2006                 [Page 5]

Internet-Draft             Java GSS-API Update              January 2006


1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].














































Upadhyay & Malkani        Expires July 31, 2006                 [Page 6]

Internet-Draft             Java GSS-API Update              January 2006


2.  Introduction

   This document specifies Java language bindings for the Generic
   Security Services Application Programming Interface Version 2 (GSS-
   API).  GSS-API Version 2 is described in a language independent
   format in RFC 2743 [GSSAPIv2-UPDATE].  The GSS-API allows a caller
   application to authenticate a principal identity, to delegate rights
   to a peer, and to apply security services such as confidentiality and
   integrity on a per-message basis.

   This document and its predecessor RFC 2853 [JGSS] leverage the work
   done by the WG in the area of RFC 2743 [GSSAPIv2-UPDATE] and the
   C-bindings RFC 2744 [GSSAPI-C].  Whenever appropriate, text has been
   used from the C-bindings RFC 2744 to explain generic concepts and
   provide direction to the implementors.

   The design goals of this API have been to satisfy all the
   functionality defined in RFC 2743 and to provide these services in an
   object oriented method.  The specification also aims to satisfy the
   needs of both types of Java application developers, those who would
   like access to a "system-wide" GSS-API implementation, as well as
   those who would want to provide their own "custom" implementation.

   A "system-wide" implementation is one that is available to all
   applications in the form of a library package.  It may be the
   standard package in the Java runtime environment (JRE) being used or
   it may be additionally installed and accessible to any application
   via the CLASSPATH.

   A "custom" implementation of the GSS-API, on the other hand, is one
   that would, in most cases, be bundled with the application during
   distribution.  It is expected that such an implementation would be
   meant to provide for some particular need of the application, such as
   support for some specific mechanism.

   The design of this API also aims to provide a flexible framework to
   add and manage GSS-API mechanisms.  GSS-API leverages the Java
   Cryptography Architecture (JCA) provider model to support the
   plugability of mechanisms.  Mechanisms can be added on a "system-
   wide" basis, where all users of the framework will have them
   available.  The specification also allows for the addition of
   mechanisms per-instance of the GSS-API.

   Lastly, this specification presents an API that will naturally fit
   within the operation environment of the Java platform.  Readers are
   assumed to be familiar with both the GSS-API and the Java platform.





Upadhyay & Malkani        Expires July 31, 2006                 [Page 7]

Internet-Draft             Java GSS-API Update              January 2006


3.  GSS-API Operational Paradigm

   The Generic Security Service Application Programming Interface
   Version 2 [GSSAPIv2-UPDATE] defines a generic security API to calling
   applications.  It allows a communicating application to authenticate

[5312 lines skipped]




reply via email to

[Prev in Thread] Current Thread [Next in Thread]