PROXY  WHOIS  RQUOTE  TEXTS  SOFT  FOREX  BBOARD
 Music  Philosophy  Code  Literature  Russian

= ROOT|Technical|RFC|rfc1508.txt =

page 6 of 28 



   based on system-specific name manipulation primitives already extant
   within those end systems; inclusion within the GSS-API is intended to




 
RFC 1508               Generic Security Interface         September 1993


   offer GSS-API callers a portable means to perform specific
   operations, supportive of authorization and audit requirements, on
   authenticated names.)

   GSS_Import_name()  implementations can, where appropriate, support
   more than one printable syntax corresponding to a given namespace
   (e.g., alternative printable representations for X.500 Distinguished
   Names), allowing flexibility for their callers to select among
   alternative representations. GSS_Display_name() implementations
   output a printable syntax selected as appropriate to their
   operational environments; this selection is a local matter. Callers
   desiring portability across alternative printable syntaxes should
   refrain from implementing comparisons based on printable name forms
   and should instead use the GSS_Compare_name()  call to determine
   whether or not one internal-format name matches another.

1.1.6.  Channel Bindings

   The GSS-API accommodates the concept of caller-provided channel
   binding ("chan_binding") information, used by GSS-API callers to bind
   the establishment of a security context to relevant characteristics
   (e.g., addresses, transformed representations of encryption keys) of
   the underlying communications channel and of protection mechanisms
   applied to that communications channel.  Verification by one peer of
   chan_binding information provided by the other peer to a context
   serves to protect against various active attacks. The caller
   initiating a security context must determine the chan_binding values
   before making the GSS_Init_sec_context()  call, and consistent values
   must be provided by both peers to a context. Callers should not
   assume that underlying mechanisms provide confidentiality protection
   for channel binding information.

   Use or non-use of the GSS-API channel binding facility is a caller
   option, and GSS-API supporting mechanisms can support operation in an
   environment where NULL channel bindings are presented. When non-NULL
   channel bindings are used, certain mechanisms will offer enhanced
   security value by interpreting the bindings' content (rather than
   simply representing those bindings, or signatures computed on them,
   within tokens) and will therefore depend on presentation of specific
   data in a defined format. To this end, agreements among mechanism
   implementors are defining conventional interpretations for the
   contents of channel binding arguments, including address specifiers
   (with content dependent on communications protocol environment) for
   context initiators and acceptors. (These conventions are being
   incorporated into related documents.) In order for GSS-API callers to
   be portable across multiple mechanisms and achieve the full security
   functionality available from each mechanism, it is strongly
   recommended that GSS-API callers provide channel bindings consistent




 
RFC 1508               Generic Security Interface         September 1993


   with these conventions and those of the networking environment in
   which they operate.

1.2.  GSS-API Features and Issues

   This section describes aspects of GSS-API operations, of the security
   services which the GSS-API provides, and provides commentary on
   design issues.

1.2.1.  Status Reporting

   Each GSS-API call provides two status return values. Major_status
   values provide a mechanism-independent indication of call status
   (e.g., GSS_COMPLETE, GSS_FAILURE, GSS_CONTINUE_NEEDED), sufficient to
   drive normal control flow within the caller in a generic fashion.
   Table 1 summarizes the defined major_status return codes in tabular
   fashion.

   Table 1: GSS-API Major Status Codes

      FATAL ERROR CODES

      GSS_BAD_BINDINGS             channel binding mismatch
      GSS_BAD_MECH                 unsupported mechanism requested
      GSS_BAD_NAME                 invalid name provided
      GSS_BAD_NAMETYPE             name of unsupported type provided
      GSS_BAD_STATUS               invalid input status selector
      GSS_BAD_SIG                  token had invalid signature
      GSS_CONTEXT_EXPIRED          specified security context expired
      GSS_CREDENTIALS_EXPIRED      expired credentials detected
      GSS_DEFECTIVE_CREDENTIAL     defective credential detected
      GSS_DEFECTIVE_TOKEN          defective token detected
      GSS_FAILURE                  failure, unspecified at GSS-API
                                   level
=6=

1|2|3|4|5| < PREV = PAGE 6 = NEXT > |7|8|9|10|11|12|13|14|15.28

UP TO ROOT | UP TO DIR | TO FIRST PAGE

Google
 


E-mail Facebook Google Digg del.icio.us BlinkList Fark Furl Ma.gnolia Netscape NewsVine Reddit Slashdot Spurl StumbleUpon Technorati YahooMyWeb LiveJournal Blogmarks TwitThis Live News2.ru BobrDobr.ru Memori.ru MoeMesto.ru

0.0133221 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU)