RFR: draft-ietf-kitten-rfc5653bis-03 JGSS-API
weijun.wang at oracle.com
Wed Apr 6 14:19:50 UTC 2016
I just posted a new version of rfc5653bis.
The major changes in this I-D (compared to RFC 5653) are:
1. public byte GSSException#getOutputToken(). If initSecContext or acceptSecContext fail, the exception could contain a token that can be sent to the peer. For kerberos 5, this is normally a KRB-ERROR message.
2. All stream-based GSSContext methods are removed. Reason: "The wire protocol should be defined by an application and not a library. It's also impossible to implement these methods correctly when the token has no self-framing (where the end cannot be determined) or the library has no knowledge of the token format (for example, as a bridge talking to another GSS library)".
The #1 above was already in draft-ietf-kitten-rfc5653bis-02, #2 is new in -03.
> Begin forwarded message:
> A new version of I-D, draft-ietf-kitten-rfc5653bis-03.txt
> has been successfully submitted by Wang Weijun and posted to the
> IETF repository.
> Name: draft-ietf-kitten-rfc5653bis
> Revision: 03
> Title: Generic Security Service API Version 2: Java Bindings Update
> Document date: 2016-04-05
> Group: kitten
> Pages: 96
> URL: https://www.ietf.org/internet-drafts/draft-ietf-kitten-rfc5653bis-03.txt
> Status: https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc5653bis/
> Htmlized: https://tools.ietf.org/html/draft-ietf-kitten-rfc5653bis-03
> Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-rfc5653bis-03
> The Generic Security Services Application Program Interface (GSS-API)
> offers application programmers uniform access to security services
> atop a variety of underlying cryptographic mechanisms. This document
> updates the Java bindings for the GSS-API that are specified in
> "Generic Security Service API Version 2 : Java Bindings Update" (RFC
> 5653). This document obsoletes RFC 5653 by adding a new output token
> field to the GSSException class so that when the initSecContext or
> acceptSecContext methods of the GSSContext class fails it has a
> chance to emit an error token which can be sent to the peer for
> debugging or informational purpose. The stream-based GSSContext
> methods are also removed in this version.
> The GSS-API is described at a language-independent conceptual level
> in "Generic Security Service Application Program Interface Version 2,
> Update 1" (RFC 2743). The GSS-API allows a caller application to
> authenticate a principal identity, to delegate rights to a peer, and
> to apply security services such as confidentiality and integrity on a
> per-message basis. Examples of security mechanisms defined for GSS-
> API are "The Simple Public-Key GSS-API Mechanism" (RFC 2025) and "The
> Kerberos Version 5 Generic Security Service Application Program
> Interface (GSS-API) Mechanism: Version 2" (RFC 4121).
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> The IETF Secretariat
More information about the security-dev