- The application acquires a set of credentials with which it may prove its identity to other processes. The applications credentials vouch for its global identity, which may be related to the local user name under which it is running.
- A pair of communicating applications establish a joint security context using their credentials. The security context is a pair of GSSAPI data structures that contain shared-state information, which is required in order that per-message security services may be provided.
- Per-message services are invoked to apply either:
integrity and data origin authentication, or confidentiality, integrity, and data origin authentication to application data, which are treated by GSSAPI as arbitrary octet strings. The application transmitting a message that it wishes to protect will call the appropriate GSSAPI routine (sign or seal) to apply protection, specifying the appropriate security context, and send the result to the receiving application. The receiver will pass the received data to the corresponding decoding routine (verify or unseal) to remove the protection and validate the data.
- At the completion of a communications session (which may extend across several connections), the peer applications call GSSAPI routines to delete the security context. Multiple contexts may also be used (either successively or simultaneously) within a single communications association.