Generic Security Service API Version 2 : C-bindings
RFC 2744

Document Type RFC - Proposed Standard (January 2000; Errata)
Updated by RFC 5896
Obsoletes RFC 1509
Author John Wray 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2744 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                             J. Wray
Request for Comments: 2744                                Iris Associates
Obsoletes: 1509                                              January 2000
Category: Standards Track

          Generic Security Service API Version 2 : C-bindings

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.


   This document specifies C language bindings for Version 2, Update 1
   of the Generic Security Service Application Program Interface (GSS-
   API), which is described at a language-independent conceptual level
   in RFC-2743 [GSSAPI].  It obsoletes RFC-1509, making specific
   incremental changes in response to implementation experience and
   liaison requests.  It is intended, therefore, that this memo or a
   successor version thereof will become the basis for subsequent
   progression of the GSS-API specification on the standards track.

   The Generic Security Service Application Programming Interface
   provides security services to its callers, and is intended for
   implementation atop a variety of underlying cryptographic mechanisms.
   Typically, GSS-API callers will be application protocols into which
   security enhancements are integrated through invocation of services
   provided by the GSS-API. The GSS-API allows a caller application to
   authenticate a principal identity associated with a peer application,
   to delegate rights to a peer, and to apply security services such as
   confidentiality and integrity on a per-message basis.

Wray                        Standards Track                     [Page 1]
RFC 2744                 GSS-API V2: C-bindings             January 2000

1.   Introduction

   The Generic Security Service Application Programming Interface
   [GSSAPI] provides security services to calling applications.  It
   allows a communicating application to authenticate the user
   associated with another application, to delegate rights to another
   application, and to apply security services such as confidentiality
   and integrity on a per-message basis.

   There are four stages to using the GSS-API:

   a) The application acquires a set of credentials with which it may
      prove its identity to other processes. The application's
      credentials vouch for its global identity, which may or may not be
      related to any local username under which it may be running.

   b) A pair of communicating applications establish a joint security
      context using their credentials.  The security context is a pair
      of GSS-API data structures that contain shared state information,
      which is required in order that per-message security services may
      be provided.  Examples of state that might be shared between
      applications as part of a security context are cryptographic keys,
      and message sequence numbers.  As part of the establishment of a
      security context, the context initiator is authenticated to the
      responder, and may require that the responder is authenticated in
      turn.  The initiator may optionally give the responder the right
      to initiate further security contexts, acting as an agent or
      delegate of the initiator.  This transfer of rights is termed
      delegation, and is achieved by creating a set of credentials,
      similar to those used by the initiating application, but which may
      be used by the responder.

      To establish and maintain the shared information that makes up the
      security context, certain GSS-API calls will return a token data
      structure, which is an opaque data type that may contain
      cryptographically protected data.  The caller of such a GSS-API
      routine is responsible for transferring the token to the peer
      application, encapsulated if necessary in an application-
      application protocol.  On receipt of such a token, the peer
      application should pass it to a corresponding GSS-API routine
      which will decode the token and extract the information, updating
      the security context state information accordingly.

Wray                        Standards Track                     [Page 2]
RFC 2744                 GSS-API V2: C-bindings             January 2000

   c) Per-message services are invoked to apply either:

      integrity and data origin authentication, or confidentiality,
      integrity and data origin authentication to application data,
      which are treated by GSS-API as arbitrary octet-strings.  An
      application transmitting a message that it wishes to protect will
Show full document text