Generic Security Service Application Program Interface (GSS-API) Extension for Storing Delegated Credentials
RFC 5588

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>, 
    kitten mailing list <kitten@ietf.org>, 
    kitten chair <kitten-chairs@tools.ietf.org>
Subject: Protocol Action: 'GSS-API Extension for Storing 
         Delegated Credentials' to Proposed Standard 

The IESG has approved the following document:

- 'GSS-API Extension for Storing Delegated Credentials '
   <draft-ietf-kitten-gssapi-store-cred-04.txt> as a Proposed Standard

This document is the product of the Kitten (GSS-API Next Generation) 
Working Group. 

The IESG contact persons are Tim Polk and Pasi Eronen.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-kitten-gssapi-store-cred-04.txt

       Technical Summary

 This document defines a new function for the GSS-API which allows
 applications to store delegated (and other) credentials in the
 implicit GSS-API credential store.  This is needed for GSS-API
 applications to use delegated credentials as they would use other
 credentials.

       Working Group Summary

This docment is a product of the kitten working group.  The working
group process was uneventful.

       Document Quality

There is at least 1 existing implementation of the feature and other
implementors are interested.

         Personnel

Alexey Melnikov <alexey.melnikov@isode.com> is the document shepherd for
this document.  Tim Polk is the responsible AD.

RFC Editor Note

Please make the following changes:

(1) In Section 3:

OLD:

  o  default_cred BOOLEAN -- if TRUE make the stored credential
     available as the default credential (for acquisition with
     GSS_C_NO_NAME as the desired name or for use as
     GSS_C_NO_CREDENTIAL)                                                
                                                       

NEW:

  o  default_cred BOOLEAN -- advisory input; if TRUE make the stored
     credential available as the default credential (for acquisition
     with GSS_C_NO_NAME as the desired name or for use as
     GSS_C_NO_CREDENTIAL)

(2) In Section 3:

OLD:

  Finally, if the current credential store has no default credential
  (that is, no credential that could be acquired for GSS_C_NO_NAME) or
  if the default_cred input argument is TRUE, and the input credential
  can be successfully stored, then the input credential will be
  available for acquisition with GSS_C_NO_NAME as the desired name
  input to GSS_Acquire_cred() or GSS_Add_cred() as well as for use as
  GSS_C_NO_CREDENTIAL for the cred_handle inputs to GSS_Inquire_cred(),
  GSS_Inquire_cred_by_mech(), GSS_Init_sec_context() and
  GSS_Accept_sec_context().


NEW:

  In the GSS-API the default credential can be used by using
  GSS_C_NO_CREDENTIAL or a CREDENTIAL handle acquired by calling
  GSS_Acquire_cred() or GSS_Add_cred() with the desired_name input set
  to GSS_C_NO_NAME.

  If the default_cred input argument is TRUE, and the input credential
  can be successfully stored, then the input credential SHOULD be
  stored as the default credential (see above).

  If the current credential store has no default credential (see above)
  then the implementation MAY make the stored credentials available as
  the default credential regardless of the value of the default_cred
  input argument.