GSS-V2 COMPATIBILITY WITH GSS-V1
It is the intent of this document to define an interface and
procedures which preserve compatibility between GSS-V1 (RFC-1508)
callers and GSS- V2 providers. All calls defined in GSS-V1 are
preserved, and it has been a goal that GSS-V1 callers should be able
to operate atop GSS-V2 provider implementations. Certain detailed
changes, summarized in this section, have been made in order to
resolve omissions identified in GSS-V1.
The following GSS-V1 constructs, while supported within GSS-V2, are
Names for per-message processing routines: GSS_Seal() deprecated
in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of
GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap();
GSS_Verify() deprecated in favor of GSS_VerifyMIC().
GSS_Delete_sec_context() facility for context_token usage,
allowing mechanisms to signal context deletion, is retained for
compatibility with GSS-V1. For current usage, it is recommended
that both peers to a context invoke GSS_Delete_sec_context()
independently, passing a null output_context_token buffer to
indicate that no context_token is required. Implementations of
GSS_Delete_sec_context() should delete relevant locally-stored
This GSS-V2 specification adds the following calls which are not
present in GSS-V1:
Credential management calls: GSS_Add_cred(),
Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(),
Per-message calls: No new calls. Existing calls have been renamed.
Support calls: GSS_Create_empty_OID_set(),
GSS_Release_OID(), GSS_OID_to_str(), GSS_Str_to_OID(),
GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name().
This GSS-V2 specification introduces three new facilities applicable
to security contexts, indicated using the following context state
values which are not present in GSS-V1:
anon_state, set TRUE to indicate that a context's initiator is
anonymous from the viewpoint of the target; Section 1.2.5 of this
specification provides a summary description of the GSS-V2
anonymity support facility, support and use of which is optional.
prot_ready_state, set TRUE to indicate that a context may be used
for per-message protection before final completion of context
establishment; Section 1.2.7 of this specification provides a
summary description of the GSS-V2 facility enabling mechanisms to
selectively permit per-message protection during context
establishment, support and use of which is optional.
trans_state, set TRUE to indicate that a context is transferable to
another process using the GSS-V2 GSS_Export_sec_context() facility.
These state values are represented (at the C bindings level) in
positions within a bit vector which are unused in GSS-V1, and may be
safely ignored by GSS-V1 callers.
Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API
implementors in the following areas: implementation robustness,
credential management, behavior in multi-mechanism configurations,
naming support, and inclusion of optional sequencing services. The
token tagging facility as defined in GSS-V2, Section 3.1, is now
described directly in terms of octets to facilitate interoperable
implementation without general ASN.1 processing code; the
corresponding ASN.1 syntax, included for descriptive purposes, is
unchanged from that in GSS-V1. For use in conjunction with added
naming support facilities, a new Exported Name Object construct is
added. Additional name types are introduced in Section 4.
This GSS-V2 specification adds the following major_status values
which are not defined in GSS-V1:
GSS_S_BAD_QOP unsupported QOP value
GSS_S_UNAUTHORIZED operation unauthorized
GSS_S_UNAVAILABLE operation unavailable
GSS_S_DUPLICATE_ELEMENT duplicate credential element requested
GSS_S_NAME_NOT_MN name contains multi-mechanism elements
GSS_S_GAP_TOKEN skipped predecessor token(s)
Of these added status codes, only two values are defined to be
returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by
GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by
GSS_VerifyMIC() and GSS_Unwrap()).
Additionally, GSS-V2 descriptions of certain calls present in GSS-V1
have been updated to allow return of additional major_status values
from the set as defined in GSS-V1: GSS_Inquire_cred() has
GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as
returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN,
GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and
GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable.