projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3
star

Projects

GSS-V2 COMPATIBILITY WITH GSS-V1


   It is the intent of this document to define an interface and
   procedures which preserve compatibility between GSS-V1 (RFC-1508)
   callers and GSS- V2 providers.  All calls defined in GSS-V1 are
   preserved, and it has been a goal that GSS-V1 callers should be able
   to operate atop GSS-V2 provider implementations.  Certain detailed
   changes, summarized in this section, have been made in order to
   resolve omissions identified in GSS-V1.

   The following GSS-V1 constructs, while supported within GSS-V2, are
   deprecated:

      Names for per-message processing routines: GSS_Seal() deprecated
      in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of
      GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap();
      GSS_Verify() deprecated in favor of GSS_VerifyMIC().

      GSS_Delete_sec_context() facility for context_token usage,
      allowing mechanisms to signal context deletion, is retained for
      compatibility with GSS-V1.  For current usage, it is recommended
      that both peers to a context invoke GSS_Delete_sec_context()
      independently, passing a null output_context_token buffer to
      indicate that no context_token is required.  Implementations of
      GSS_Delete_sec_context() should delete relevant locally-stored
      context information.

   This GSS-V2 specification adds the following calls which are not
   present in GSS-V1:

      Credential management calls: GSS_Add_cred(),
      GSS_Inquire_cred_by_mech().

      Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(),
      GSS_Export_sec_context(), GSS_Import_sec_context().

      Per-message calls: No new calls.  Existing calls have been renamed.

      Support calls: GSS_Create_empty_OID_set(),
      GSS_Add_OID_set_member(), GSS_Test_OID_set_member(),
      GSS_Release_OID(), GSS_OID_to_str(), GSS_Str_to_OID(),
      GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(),
      GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name().

   This GSS-V2 specification introduces three new facilities applicable
   to security contexts, indicated using the following context state
   values which are not present in GSS-V1:

      anon_state, set TRUE to indicate that a context's initiator is
      anonymous from the viewpoint of the target; Section 1.2.5 of this
      specification provides a summary description of the GSS-V2
      anonymity support facility, support and use of which is optional.

      prot_ready_state, set TRUE to indicate that a context may be used
      for per-message protection before final completion of context
      establishment; Section 1.2.7 of this specification provides a
      summary description of the GSS-V2 facility enabling mechanisms to
      selectively permit per-message protection during context
      establishment, support and use of which is optional.

      trans_state, set TRUE to indicate that a context is transferable to
      another process using the GSS-V2 GSS_Export_sec_context() facility.

   These state values are represented (at the C bindings level) in
   positions within a bit vector which are unused in GSS-V1, and may be
   safely ignored by GSS-V1 callers.

   Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API
   implementors in the following areas: implementation robustness,
   credential management, behavior in multi-mechanism configurations,
   naming support, and inclusion of optional sequencing services.  The
   token tagging facility as defined in GSS-V2, Section 3.1, is now
   described directly in terms of octets to facilitate interoperable
   implementation without general ASN.1 processing code; the
   corresponding ASN.1 syntax, included for descriptive purposes, is
   unchanged from that in GSS-V1. For use in conjunction with added
   naming support facilities, a new Exported Name Object construct is
   added.  Additional name types are introduced in Section 4.

   This GSS-V2 specification adds the following major_status values
   which are not defined in GSS-V1:

     GSS_S_BAD_QOP                 unsupported QOP value
     GSS_S_UNAUTHORIZED            operation unauthorized
     GSS_S_UNAVAILABLE             operation unavailable
     GSS_S_DUPLICATE_ELEMENT       duplicate credential element requested
     GSS_S_NAME_NOT_MN             name contains multi-mechanism elements
     GSS_S_GAP_TOKEN               skipped predecessor token(s)
                                    detected

   Of these added status codes, only two values are defined to be
   returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by
   GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by
   GSS_VerifyMIC() and GSS_Unwrap()).

   Additionally, GSS-V2 descriptions of certain calls present in GSS-V1
   have been updated to allow return of additional major_status values
   from the set as defined in GSS-V1: GSS_Inquire_cred() has
   GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as
   returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN,
   GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and
   GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable.
blank.space
b.star projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan
bottom.line
 citi