based on system-specific name manipulation primitives already extant
within those end systems; inclusion within the GSS-API is intended to
RFC 1508 Generic Security Interface September 1993
offer GSS-API callers a portable means to perform specific
operations, supportive of authorization and audit requirements, on
authenticated names.)
GSS_Import_name() implementations can, where appropriate, support
more than one printable syntax corresponding to a given namespace
(e.g., alternative printable representations for X.500 Distinguished
Names), allowing flexibility for their callers to select among
alternative representations. GSS_Display_name() implementations
output a printable syntax selected as appropriate to their
operational environments; this selection is a local matter. Callers
desiring portability across alternative printable syntaxes should
refrain from implementing comparisons based on printable name forms
and should instead use the GSS_Compare_name() call to determine
whether or not one internal-format name matches another.
1.1.6. Channel Bindings
The GSS-API accommodates the concept of caller-provided channel
binding ("chan_binding") information, used by GSS-API callers to bind
the establishment of a security context to relevant characteristics
(e.g., addresses, transformed representations of encryption keys) of
the underlying communications channel and of protection mechanisms
applied to that communications channel. Verification by one peer of
chan_binding information provided by the other peer to a context
serves to protect against various active attacks. The caller
initiating a security context must determine the chan_binding values
before making the GSS_Init_sec_context() call, and consistent values
must be provided by both peers to a context. Callers should not
assume that underlying mechanisms provide confidentiality protection
for channel binding information.
Use or non-use of the GSS-API channel binding facility is a caller
option, and GSS-API supporting mechanisms can support operation in an
environment where NULL channel bindings are presented. When non-NULL
channel bindings are used, certain mechanisms will offer enhanced
security value by interpreting the bindings' content (rather than
simply representing those bindings, or signatures computed on them,
within tokens) and will therefore depend on presentation of specific
data in a defined format. To this end, agreements among mechanism
implementors are defining conventional interpretations for the
contents of channel binding arguments, including address specifiers
(with content dependent on communications protocol environment) for
context initiators and acceptors. (These conventions are being
incorporated into related documents.) In order for GSS-API callers to
be portable across multiple mechanisms and achieve the full security
functionality available from each mechanism, it is strongly
recommended that GSS-API callers provide channel bindings consistent
RFC 1508 Generic Security Interface September 1993
with these conventions and those of the networking environment in
which they operate.
1.2. GSS-API Features and Issues
This section describes aspects of GSS-API operations, of the security
services which the GSS-API provides, and provides commentary on
design issues.
1.2.1. Status Reporting
Each GSS-API call provides two status return values. Major_status
values provide a mechanism-independent indication of call status
(e.g., GSS_COMPLETE, GSS_FAILURE, GSS_CONTINUE_NEEDED), sufficient to
drive normal control flow within the caller in a generic fashion.
Table 1 summarizes the defined major_status return codes in tabular
fashion.
Table 1: GSS-API Major Status Codes
FATAL ERROR CODES
GSS_BAD_BINDINGS channel binding mismatch
GSS_BAD_MECH unsupported mechanism requested
GSS_BAD_NAME invalid name provided
GSS_BAD_NAMETYPE name of unsupported type provided
GSS_BAD_STATUS invalid input status selector
GSS_BAD_SIG token had invalid signature
GSS_CONTEXT_EXPIRED specified security context expired
GSS_CREDENTIALS_EXPIRED expired credentials detected
GSS_DEFECTIVE_CREDENTIAL defective credential detected
GSS_DEFECTIVE_TOKEN defective token detected
GSS_FAILURE failure, unspecified at GSS-API
level
=6= |
