RFR: draft-ietf-kitten-rfc5653bis-03 JGSS-API

Wang Weijun weijun.wang at oracle.com
Wed Apr 6 14:19:50 UTC 2016

I just posted a new version of rfc5653bis.

The major changes in this I-D (compared to RFC 5653) are:

1. public byte[] GSSException#getOutputToken(). If initSecContext or acceptSecContext fail, the exception could contain a token that can be sent to the peer. For kerberos 5, this is normally a KRB-ERROR message.

2. All stream-based GSSContext methods are removed. Reason: "The wire protocol should be defined by an application and not a library.  It's also impossible to implement these methods correctly when the token has no self-framing (where the end cannot be determined) or the library has no knowledge of the token format (for example, as a bridge talking to another GSS library)".

The #1 above was already in draft-ietf-kitten-rfc5653bis-02, #2 is new in -03.


> Begin forwarded message:
> A new version of I-D, draft-ietf-kitten-rfc5653bis-03.txt
> has been successfully submitted by Wang Weijun and posted to the
> IETF repository.
> Name:		draft-ietf-kitten-rfc5653bis
> Revision:	03
> Title:		Generic Security Service API Version 2: Java Bindings Update
> Document date:	2016-04-05
> Group:		kitten
> Pages:		96
> URL:            https://www.ietf.org/internet-drafts/draft-ietf-kitten-rfc5653bis-03.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc5653bis/
> Htmlized:       https://tools.ietf.org/html/draft-ietf-kitten-rfc5653bis-03
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-rfc5653bis-03
> Abstract:
>  The Generic Security Services Application Program Interface (GSS-API)
>  offers application programmers uniform access to security services
>  atop a variety of underlying cryptographic mechanisms.  This document
>  updates the Java bindings for the GSS-API that are specified in
>  "Generic Security Service API Version 2 : Java Bindings Update" (RFC
>  5653).  This document obsoletes RFC 5653 by adding a new output token
>  field to the GSSException class so that when the initSecContext or
>  acceptSecContext methods of the GSSContext class fails it has a
>  chance to emit an error token which can be sent to the peer for
>  debugging or informational purpose.  The stream-based GSSContext
>  methods are also removed in this version.
>  The GSS-API is described at a language-independent conceptual level
>  in "Generic Security Service Application Program Interface Version 2,
>  Update 1" (RFC 2743).  The GSS-API allows a caller application to
>  authenticate a principal identity, to delegate rights to a peer, and
>  to apply security services such as confidentiality and integrity on a
>  per-message basis.  Examples of security mechanisms defined for GSS-
>  API are "The Simple Public-Key GSS-API Mechanism" (RFC 2025) and "The
>  Kerberos Version 5 Generic Security Service Application Program
>  Interface (GSS-API) Mechanism: Version 2" (RFC 4121).
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> The IETF Secretariat

More information about the security-dev mailing list