draft-ietf-kitten-rfc2853bis-01.txt   draft-ietf-kitten-rfc2853bis-02.txt 
Network Working Group M. Upadhyay Network Working Group M. Upadhyay
Internet-Draft Google Internet-Draft Google
Expires: July 31, 2006 S. Malkani Expires: February 17, 2007 S. Malkani
Sun Microsystems Sun Microsystems
January 27, 2006 August 16, 2006
Generic Security Service API Version 2 : Java Bindings Update Generic Security Service API Version 2 : Java Bindings Update
draft-ietf-kitten-rfc2853bis-01.txt draft-ietf-kitten-rfc2853bis-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 31, 2006. This Internet-Draft will expire on February 17, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
The Generic Security Services Application Program Interface (GSS-API) The Generic Security Services Application Program Interface (GSS-API)
offers application programmers uniform access to security services offers application programmers uniform access to security services
atop a variety of underlying cryptographic mechanisms. This document atop a variety of underlying cryptographic mechanisms. This document
updates the Java bindings for the GSS-API that are specified in RFC updates the Java bindings for the GSS-API that are specified in
2853 [JGSS]. This document obsoletes RFC 2853 [JGSS] by making "Generic Security Service API version 2 : Java Bindings" (RFC2853).
specific and incremental clarifications and corrections to it in This document obsoletes RFC2853 by making specific and incremental
response to identification of transcription errors and implementation clarifications and corrections to it in response to identification of
experience. The only note-worthy changes are in sections 4.12.1, transcription errors and implementation experience. The note-worthy
6.3.2, and 6.8.1 of RFC 2853 [JGSS], which are replaced by the changes are in sections 4.12.1, 6.2.2, 6.3.2, and 6.8.1 of RFC2853,
sections 5.12.1, 7.3.2, and 7.8.1 of this document, where numerical which are replaced by the sections 5.12.1, 7.2.2, 7.3.2, and 7.8.1 of
constants were either added or modified. this document, where numerical constants were either added or
modified.
The GSS-API is described at a language independent conceptual level The GSS-API is described at a language independent conceptual level
in RFC 2743 [GSSAPIv2-UPDATE]. The GSS-API allows a caller in "Generic Security Service Application Program Interface Version 2,
application to authenticate a principal identity, to delegate rights Update 1" (RFC2743). The GSS-API allows a caller application to
to a peer, and to apply security services such as confidentiality and authenticate a principal identity, to delegate rights to a peer, and
integrity on a per-message basis. Examples of security mechanisms to apply security services such as confidentiality and integrity on a
defined for GSS-API are The Simple Public-Key GSS-API Mechanism per-message basis. Examples of security mechanisms defined for GSS-
[SPKM] and The Kerberos Version 5 GSS-API Mechanism [KERBV5]. API are "The Simple Public-Key GSS-API Mechanism" (RFC2025) and "The
Kerberos Version 5 GSS-API Mechanism (RFC4121).
Table of Contents Table of Contents
1. Conventions Used in This Document . . . . . . . . . . . . . 6 1. Conventions Used in This Document . . . . . . . . . . . . . 7
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 8
3. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 8 3. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 9
4. Additional Controls . . . . . . . . . . . . . . . . . . . . 10 4. Additional Controls . . . . . . . . . . . . . . . . . . . . 11
4.1 Delegation . . . . . . . . . . . . . . . . . . . . . . . . 11 4.1 Delegation . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2 Mutual Authentication . . . . . . . . . . . . . . . . . . 12 4.2 Mutual Authentication . . . . . . . . . . . . . . . . . . 13
4.3 Replay and Out-of-Sequence Detection . . . . . . . . . . . 12 4.3 Replay and Out-of-Sequence Detection . . . . . . . . . . . 13
4.4 Anonymous Authentication . . . . . . . . . . . . . . . . . 13 4.4 Anonymous Authentication . . . . . . . . . . . . . . . . . 14
4.5 Confidentiality . . . . . . . . . . . . . . . . . . . . . 14 4.5 Confidentiality . . . . . . . . . . . . . . . . . . . . . 15
4.6 Inter-process Context Transfer . . . . . . . . . . . . . . 14 4.6 Inter-process Context Transfer . . . . . . . . . . . . . . 15
4.7 The Use of Incomplete Contexts . . . . . . . . . . . . . . 15 4.7 The Use of Incomplete Contexts . . . . . . . . . . . . . . 16
5. Calling Conventions . . . . . . . . . . . . . . . . . . . . 16 5. Calling Conventions . . . . . . . . . . . . . . . . . . . . 17
5.1 Package Name . . . . . . . . . . . . . . . . . . . . . . . 16 5.1 Package Name . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Provider Framework . . . . . . . . . . . . . . . . . . . . 16 5.2 Provider Framework . . . . . . . . . . . . . . . . . . . . 17
5.3 Integer Types . . . . . . . . . . . . . . . . . . . . . . 17 5.3 Integer Types . . . . . . . . . . . . . . . . . . . . . . 18
5.4 Opaque Data Types . . . . . . . . . . . . . . . . . . . . 17 5.4 Opaque Data Types . . . . . . . . . . . . . . . . . . . . 18
5.5 Strings . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.5 Strings . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.6 Object Identifiers . . . . . . . . . . . . . . . . . . . . 17 5.6 Object Identifiers . . . . . . . . . . . . . . . . . . . . 18
5.7 Object Identifier Sets . . . . . . . . . . . . . . . . . . 18 5.7 Object Identifier Sets . . . . . . . . . . . . . . . . . . 19
5.8 Credentials . . . . . . . . . . . . . . . . . . . . . . . 18 5.8 Credentials . . . . . . . . . . . . . . . . . . . . . . . 19
5.9 Contexts . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.9 Contexts . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.10 Authentication Tokens . . . . . . . . . . . . . . . . . 20 5.10 Authentication Tokens . . . . . . . . . . . . . . . . . 21
5.11 Interprocess Tokens . . . . . . . . . . . . . . . . . . 21 5.11 Interprocess Tokens . . . . . . . . . . . . . . . . . . 22
5.12 Error Reporting . . . . . . . . . . . . . . . . . . . . 21 5.12 Error Reporting . . . . . . . . . . . . . . . . . . . . 22
5.12.1 GSS Status Codes . . . . . . . . . . . . . . . . . . 21 5.12.1 GSS Status Codes . . . . . . . . . . . . . . . . . . 22
5.12.2 Mechanism-Specific Status Codes . . . . . . . . . . 24 5.12.2 Mechanism-Specific Status Codes . . . . . . . . . . 25
5.12.3 Supplementary Status Codes . . . . . . . . . . . . . 24 5.12.3 Supplementary Status Codes . . . . . . . . . . . . . 25
5.13 Names . . . . . . . . . . . . . . . . . . . . . . . . . 25 5.13 Names . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.14 Channel Bindings . . . . . . . . . . . . . . . . . . . . 27 5.14 Channel Bindings . . . . . . . . . . . . . . . . . . . . 28
5.15 Stream Objects . . . . . . . . . . . . . . . . . . . . . 28 5.15 Stream Objects . . . . . . . . . . . . . . . . . . . . . 29
5.16 Optional Parameters . . . . . . . . . . . . . . . . . . 28 5.16 Optional Parameters . . . . . . . . . . . . . . . . . . 29
6. Introduction to GSS-API Classes and Interfaces . . . . . . . 30 6. Introduction to GSS-API Classes and Interfaces . . . . . . . 31
6.1 GSSManager class . . . . . . . . . . . . . . . . . . . . . 30 6.1 GSSManager class . . . . . . . . . . . . . . . . . . . . . 31
6.2 GSSName interface . . . . . . . . . . . . . . . . . . . . 31 6.2 GSSName interface . . . . . . . . . . . . . . . . . . . . 32
6.3 GSSCredential interface . . . . . . . . . . . . . . . . . 31 6.3 GSSCredential interface . . . . . . . . . . . . . . . . . 32
6.4 GSSContext interface . . . . . . . . . . . . . . . . . . . 32 6.4 GSSContext interface . . . . . . . . . . . . . . . . . . . 33
6.5 MessageProp class . . . . . . . . . . . . . . . . . . . . 34 6.5 MessageProp class . . . . . . . . . . . . . . . . . . . . 35
6.6 GSSException class . . . . . . . . . . . . . . . . . . . . 34 6.6 GSSException class . . . . . . . . . . . . . . . . . . . . 35
6.7 Oid class . . . . . . . . . . . . . . . . . . . . . . . . 34 6.7 Oid class . . . . . . . . . . . . . . . . . . . . . . . . 35
6.8 ChannelBinding class . . . . . . . . . . . . . . . . . . . 35 6.8 ChannelBinding class . . . . . . . . . . . . . . . . . . . 36
7. Detailed GSS-API Class Description . . . . . . . . . . . . . 36 7. Detailed GSS-API Class Description . . . . . . . . . . . . . 37
7.1 public abstract class GSSManager . . . . . . . . . . . . . 36 7.1 public abstract class GSSManager . . . . . . . . . . . . . 37
7.1.1 Example Code . . . . . . . . . . . . . . . . . . . . . 37 7.1.1 Example Code . . . . . . . . . . . . . . . . . . . . . 38
7.1.2 getInstance . . . . . . . . . . . . . . . . . . . . . 37 7.1.2 getInstance . . . . . . . . . . . . . . . . . . . . . 38
7.1.3 getMechs . . . . . . . . . . . . . . . . . . . . . . . 37 7.1.3 getMechs . . . . . . . . . . . . . . . . . . . . . . . 38
7.1.4 getNamesForMech . . . . . . . . . . . . . . . . . . . 38 7.1.4 getNamesForMech . . . . . . . . . . . . . . . . . . . 39
7.1.5 getMechsForName . . . . . . . . . . . . . . . . . . . 38 7.1.5 getMechsForName . . . . . . . . . . . . . . . . . . . 39
7.1.6 createName . . . . . . . . . . . . . . . . . . . . . . 38 7.1.6 createName . . . . . . . . . . . . . . . . . . . . . . 39
7.1.7 createName . . . . . . . . . . . . . . . . . . . . . . 39 7.1.7 createName . . . . . . . . . . . . . . . . . . . . . . 40
7.1.8 createName . . . . . . . . . . . . . . . . . . . . . . 39 7.1.8 createName . . . . . . . . . . . . . . . . . . . . . . 40
7.1.9 createName . . . . . . . . . . . . . . . . . . . . . . 40 7.1.9 createName . . . . . . . . . . . . . . . . . . . . . . 41
7.1.10 createCredential . . . . . . . . . . . . . . . . . . 40 7.1.10 createCredential . . . . . . . . . . . . . . . . . . 41
7.1.11 createCredential . . . . . . . . . . . . . . . . . . 41 7.1.11 createCredential . . . . . . . . . . . . . . . . . . 42
7.1.12 createCredential . . . . . . . . . . . . . . . . . . 41 7.1.12 createCredential . . . . . . . . . . . . . . . . . . 42
7.1.13 createContext . . . . . . . . . . . . . . . . . . . 42 7.1.13 createContext . . . . . . . . . . . . . . . . . . . 43
7.1.14 createContext . . . . . . . . . . . . . . . . . . . 42 7.1.14 createContext . . . . . . . . . . . . . . . . . . . 43
7.1.15 createContext . . . . . . . . . . . . . . . . . . . 43 7.1.15 createContext . . . . . . . . . . . . . . . . . . . 44
7.1.16 addProviderAtFront . . . . . . . . . . . . . . . . . 43 7.1.16 addProviderAtFront . . . . . . . . . . . . . . . . . 44
7.1.17 Example Code . . . . . . . . . . . . . . . . . . . . 44 7.1.17 Example Code . . . . . . . . . . . . . . . . . . . . 45
7.1.18 addProviderAtEnd . . . . . . . . . . . . . . . . . . 45 7.1.18 addProviderAtEnd . . . . . . . . . . . . . . . . . . 46
7.1.19 Example Code . . . . . . . . . . . . . . . . . . . . 45 7.1.19 Example Code . . . . . . . . . . . . . . . . . . . . 46
7.2 public interface GSSName . . . . . . . . . . . . . . . . . 46 7.2 public interface GSSName . . . . . . . . . . . . . . . . . 47
7.2.1 Example Code . . . . . . . . . . . . . . . . . . . . . 46 7.2.1 Example Code . . . . . . . . . . . . . . . . . . . . . 47
7.2.2 Static Constants . . . . . . . . . . . . . . . . . . . 47 7.2.2 Static Constants . . . . . . . . . . . . . . . . . . . 48
7.2.3 equals . . . . . . . . . . . . . . . . . . . . . . . . 48 7.2.3 equals . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.4 equals . . . . . . . . . . . . . . . . . . . . . . . . 48 7.2.4 equals . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.5 canonicalize . . . . . . . . . . . . . . . . . . . . . 49 7.2.5 canonicalize . . . . . . . . . . . . . . . . . . . . . 50
7.2.6 export . . . . . . . . . . . . . . . . . . . . . . . . 49 7.2.6 export . . . . . . . . . . . . . . . . . . . . . . . . 50
7.2.7 toString . . . . . . . . . . . . . . . . . . . . . . . 49 7.2.7 toString . . . . . . . . . . . . . . . . . . . . . . . 50
7.2.8 getStringNameType . . . . . . . . . . . . . . . . . . 50 7.2.8 getStringNameType . . . . . . . . . . . . . . . . . . 51
7.2.9 isAnonymous . . . . . . . . . . . . . . . . . . . . . 50 7.2.9 isAnonymous . . . . . . . . . . . . . . . . . . . . . 51
7.2.10 isMN . . . . . . . . . . . . . . . . . . . . . . . . 50 7.2.10 isMN . . . . . . . . . . . . . . . . . . . . . . . . 51
7.3 public interface GSSCredential implements Cloneable . . . 50 7.3 public interface GSSCredential implements Cloneable . . . 51
7.3.1 Example Code . . . . . . . . . . . . . . . . . . . . . 51 7.3.1 Example Code . . . . . . . . . . . . . . . . . . . . . 52
7.3.2 Static Constants . . . . . . . . . . . . . . . . . . . 52 7.3.2 Static Constants . . . . . . . . . . . . . . . . . . . 53
7.3.3 dispose . . . . . . . . . . . . . . . . . . . . . . . 52 7.3.3 dispose . . . . . . . . . . . . . . . . . . . . . . . 53
7.3.4 getName . . . . . . . . . . . . . . . . . . . . . . . 52 7.3.4 getName . . . . . . . . . . . . . . . . . . . . . . . 53
7.3.5 getName . . . . . . . . . . . . . . . . . . . . . . . 52 7.3.5 getName . . . . . . . . . . . . . . . . . . . . . . . 53
7.3.6 getRemainingLifetime . . . . . . . . . . . . . . . . . 53 7.3.6 getRemainingLifetime . . . . . . . . . . . . . . . . . 54
7.3.7 getRemainingInitLifetime . . . . . . . . . . . . . . . 53 7.3.7 getRemainingInitLifetime . . . . . . . . . . . . . . . 54
7.3.8 getRemainingAcceptLifetime . . . . . . . . . . . . . . 53 7.3.8 getRemainingAcceptLifetime . . . . . . . . . . . . . . 54
7.3.9 getUsage . . . . . . . . . . . . . . . . . . . . . . . 54 7.3.9 getUsage . . . . . . . . . . . . . . . . . . . . . . . 55
7.3.10 getUsage . . . . . . . . . . . . . . . . . . . . . . 54 7.3.10 getUsage . . . . . . . . . . . . . . . . . . . . . . 55
7.3.11 getMechs . . . . . . . . . . . . . . . . . . . . . . 54 7.3.11 getMechs . . . . . . . . . . . . . . . . . . . . . . 55
7.3.12 add . . . . . . . . . . . . . . . . . . . . . . . . 54 7.3.12 add . . . . . . . . . . . . . . . . . . . . . . . . 55
7.3.13 equals . . . . . . . . . . . . . . . . . . . . . . . 55 7.3.13 equals . . . . . . . . . . . . . . . . . . . . . . . 56
7.4 public interface GSSContext . . . . . . . . . . . . . . . 55 7.4 public interface GSSContext . . . . . . . . . . . . . . . 56
7.4.1 Example Code . . . . . . . . . . . . . . . . . . . . . 56 7.4.1 Example Code . . . . . . . . . . . . . . . . . . . . . 57
7.4.2 Static Constants . . . . . . . . . . . . . . . . . . . 58 7.4.2 Static Constants . . . . . . . . . . . . . . . . . . . 59
7.4.3 initSecContext . . . . . . . . . . . . . . . . . . . . 58 7.4.3 initSecContext . . . . . . . . . . . . . . . . . . . . 59
7.4.4 Example Code . . . . . . . . . . . . . . . . . . . . . 60 7.4.4 Example Code . . . . . . . . . . . . . . . . . . . . . 61
7.4.5 initSecContext . . . . . . . . . . . . . . . . . . . . 60 7.4.5 initSecContext . . . . . . . . . . . . . . . . . . . . 61
7.4.6 Example Code . . . . . . . . . . . . . . . . . . . . . 61 7.4.6 Example Code . . . . . . . . . . . . . . . . . . . . . 62
7.4.7 acceptSecContext . . . . . . . . . . . . . . . . . . . 62 7.4.7 acceptSecContext . . . . . . . . . . . . . . . . . . . 63
7.4.8 Example Code . . . . . . . . . . . . . . . . . . . . . 63 7.4.8 Example Code . . . . . . . . . . . . . . . . . . . . . 64
7.4.9 acceptSecContext . . . . . . . . . . . . . . . . . . . 64 7.4.9 acceptSecContext . . . . . . . . . . . . . . . . . . . 65
7.4.10 Example Code . . . . . . . . . . . . . . . . . . . . 64 7.4.10 Example Code . . . . . . . . . . . . . . . . . . . . 65
7.4.11 isEstablished . . . . . . . . . . . . . . . . . . . 65 7.4.11 isEstablished . . . . . . . . . . . . . . . . . . . 66
7.4.12 dispose . . . . . . . . . . . . . . . . . . . . . . 65 7.4.12 dispose . . . . . . . . . . . . . . . . . . . . . . 66
7.4.13 getWrapSizeLimit . . . . . . . . . . . . . . . . . . 66 7.4.13 getWrapSizeLimit . . . . . . . . . . . . . . . . . . 67
7.4.14 wrap . . . . . . . . . . . . . . . . . . . . . . . . 66 7.4.14 wrap . . . . . . . . . . . . . . . . . . . . . . . . 67
7.4.15 wrap . . . . . . . . . . . . . . . . . . . . . . . . 67 7.4.15 wrap . . . . . . . . . . . . . . . . . . . . . . . . 68
7.4.16 unwrap . . . . . . . . . . . . . . . . . . . . . . . 68 7.4.16 unwrap . . . . . . . . . . . . . . . . . . . . . . . 69
7.4.17 unwrap . . . . . . . . . . . . . . . . . . . . . . . 69 7.4.17 unwrap . . . . . . . . . . . . . . . . . . . . . . . 70
7.4.18 getMIC . . . . . . . . . . . . . . . . . . . . . . . 70 7.4.18 getMIC . . . . . . . . . . . . . . . . . . . . . . . 71
7.4.19 getMIC . . . . . . . . . . . . . . . . . . . . . . . 70 7.4.19 getMIC . . . . . . . . . . . . . . . . . . . . . . . 71
7.4.20 verifyMIC . . . . . . . . . . . . . . . . . . . . . 71 7.4.20 verifyMIC . . . . . . . . . . . . . . . . . . . . . 72
7.4.21 verifyMIC . . . . . . . . . . . . . . . . . . . . . 72 7.4.21 verifyMIC . . . . . . . . . . . . . . . . . . . . . 73
7.4.22 export . . . . . . . . . . . . . . . . . . . . . . . 72 7.4.22 export . . . . . . . . . . . . . . . . . . . . . . . 73
7.4.23 requestMutualAuth . . . . . . . . . . . . . . . . . 73 7.4.23 requestMutualAuth . . . . . . . . . . . . . . . . . 74
7.4.24 requestReplayDet . . . . . . . . . . . . . . . . . . 73 7.4.24 requestReplayDet . . . . . . . . . . . . . . . . . . 74
7.4.25 requestSequenceDet . . . . . . . . . . . . . . . . . 74 7.4.25 requestSequenceDet . . . . . . . . . . . . . . . . . 75
7.4.26 requestCredDeleg . . . . . . . . . . . . . . . . . . 74 7.4.26 requestCredDeleg . . . . . . . . . . . . . . . . . . 75
7.4.27 requestAnonymity . . . . . . . . . . . . . . . . . . 74 7.4.27 requestAnonymity . . . . . . . . . . . . . . . . . . 75
7.4.28 requestConf . . . . . . . . . . . . . . . . . . . . 75 7.4.28 requestConf . . . . . . . . . . . . . . . . . . . . 76
7.4.29 requestInteg . . . . . . . . . . . . . . . . . . . . 75 7.4.29 requestInteg . . . . . . . . . . . . . . . . . . . . 76
7.4.30 requestLifetime . . . . . . . . . . . . . . . . . . 75 7.4.30 requestLifetime . . . . . . . . . . . . . . . . . . 76
7.4.31 setChannelBinding . . . . . . . . . . . . . . . . . 75 7.4.31 setChannelBinding . . . . . . . . . . . . . . . . . 76
7.4.32 getCredDelegState . . . . . . . . . . . . . . . . . 76 7.4.32 getCredDelegState . . . . . . . . . . . . . . . . . 77
7.4.33 getMutualAuthState . . . . . . . . . . . . . . . . . 76 7.4.33 getMutualAuthState . . . . . . . . . . . . . . . . . 77
7.4.34 getReplayDetState . . . . . . . . . . . . . . . . . 76 7.4.34 getReplayDetState . . . . . . . . . . . . . . . . . 77
7.4.35 getSequenceDetState . . . . . . . . . . . . . . . . 76 7.4.35 getSequenceDetState . . . . . . . . . . . . . . . . 77
7.4.36 getAnonymityState . . . . . . . . . . . . . . . . . 77 7.4.36 getAnonymityState . . . . . . . . . . . . . . . . . 78
7.4.37 isTransferable . . . . . . . . . . . . . . . . . . . 77 7.4.37 isTransferable . . . . . . . . . . . . . . . . . . . 78
7.4.38 isProtReady . . . . . . . . . . . . . . . . . . . . 77 7.4.38 isProtReady . . . . . . . . . . . . . . . . . . . . 78
7.4.39 getConfState . . . . . . . . . . . . . . . . . . . . 77 7.4.39 getConfState . . . . . . . . . . . . . . . . . . . . 78
7.4.40 getIntegState . . . . . . . . . . . . . . . . . . . 77 7.4.40 getIntegState . . . . . . . . . . . . . . . . . . . 78
7.4.41 getLifetime . . . . . . . . . . . . . . . . . . . . 77 7.4.41 getLifetime . . . . . . . . . . . . . . . . . . . . 78
7.4.42 getSrcName . . . . . . . . . . . . . . . . . . . . . 78 7.4.42 getSrcName . . . . . . . . . . . . . . . . . . . . . 79
7.4.43 getTargName . . . . . . . . . . . . . . . . . . . . 78 7.4.43 getTargName . . . . . . . . . . . . . . . . . . . . 79
7.4.44 getMech . . . . . . . . . . . . . . . . . . . . . . 78 7.4.44 getMech . . . . . . . . . . . . . . . . . . . . . . 79
7.4.45 getDelegCred . . . . . . . . . . . . . . . . . . . . 78 7.4.45 getDelegCred . . . . . . . . . . . . . . . . . . . . 79
7.4.46 isInitiator . . . . . . . . . . . . . . . . . . . . 78 7.4.46 isInitiator . . . . . . . . . . . . . . . . . . . . 79
7.5 public class MessageProp . . . . . . . . . . . . . . . . . 78 7.5 public class MessageProp . . . . . . . . . . . . . . . . . 79
7.5.1 Constructors . . . . . . . . . . . . . . . . . . . . . 79 7.5.1 Constructors . . . . . . . . . . . . . . . . . . . . . 80
7.5.2 getQOP . . . . . . . . . . . . . . . . . . . . . . . . 79 7.5.2 getQOP . . . . . . . . . . . . . . . . . . . . . . . . 80
7.5.3 getPrivacy . . . . . . . . . . . . . . . . . . . . . . 80 7.5.3 getPrivacy . . . . . . . . . . . . . . . . . . . . . . 81
7.5.4 getMinorStatus . . . . . . . . . . . . . . . . . . . . 80 7.5.4 getMinorStatus . . . . . . . . . . . . . . . . . . . . 81
7.5.5 getMinorString . . . . . . . . . . . . . . . . . . . . 80 7.5.5 getMinorString . . . . . . . . . . . . . . . . . . . . 81
7.5.6 setQOP . . . . . . . . . . . . . . . . . . . . . . . . 80 7.5.6 setQOP . . . . . . . . . . . . . . . . . . . . . . . . 81
7.5.7 setPrivacy . . . . . . . . . . . . . . . . . . . . . . 80 7.5.7 setPrivacy . . . . . . . . . . . . . . . . . . . . . . 81
7.5.8 isDuplicateToken . . . . . . . . . . . . . . . . . . . 80 7.5.8 isDuplicateToken . . . . . . . . . . . . . . . . . . . 81
7.5.9 isOldToken . . . . . . . . . . . . . . . . . . . . . . 81 7.5.9 isOldToken . . . . . . . . . . . . . . . . . . . . . . 82
7.5.10 isUnseqToken . . . . . . . . . . . . . . . . . . . . 81 7.5.10 isUnseqToken . . . . . . . . . . . . . . . . . . . . 82
7.5.11 isGapToken . . . . . . . . . . . . . . . . . . . . . 81 7.5.11 isGapToken . . . . . . . . . . . . . . . . . . . . . 82
7.5.12 setSupplementaryStates . . . . . . . . . . . . . . . 81 7.5.12 setSupplementaryStates . . . . . . . . . . . . . . . 82
7.6 public class ChannelBinding . . . . . . . . . . . . . . . 82 7.6 public class ChannelBinding . . . . . . . . . . . . . . . 83
7.6.1 Constructors . . . . . . . . . . . . . . . . . . . . . 82 7.6.1 Constructors . . . . . . . . . . . . . . . . . . . . . 83
7.6.2 getInitiatorAddress . . . . . . . . . . . . . . . . . 83 7.6.2 getInitiatorAddress . . . . . . . . . . . . . . . . . 84
7.6.3 getAcceptorAddress . . . . . . . . . . . . . . . . . . 83 7.6.3 getAcceptorAddress . . . . . . . . . . . . . . . . . . 84
7.6.4 getApplicationData . . . . . . . . . . . . . . . . . . 83 7.6.4 getApplicationData . . . . . . . . . . . . . . . . . . 84
7.6.5 equals . . . . . . . . . . . . . . . . . . . . . . . . 83 7.6.5 equals . . . . . . . . . . . . . . . . . . . . . . . . 84
7.7 public class Oid . . . . . . . . . . . . . . . . . . . . . 83 7.7 public class Oid . . . . . . . . . . . . . . . . . . . . . 84
7.7.1 Constructors . . . . . . . . . . . . . . . . . . . . . 84 7.7.1 Constructors . . . . . . . . . . . . . . . . . . . . . 85
7.7.2 toString . . . . . . . . . . . . . . . . . . . . . . . 84 7.7.2 toString . . . . . . . . . . . . . . . . . . . . . . . 85
7.7.3 equals . . . . . . . . . . . . . . . . . . . . . . . . 85 7.7.3 equals . . . . . . . . . . . . . . . . . . . . . . . . 86
7.7.4 getDER . . . . . . . . . . . . . . . . . . . . . . . . 85 7.7.4 getDER . . . . . . . . . . . . . . . . . . . . . . . . 86
7.7.5 containedIn . . . . . . . . . . . . . . . . . . . . . 85 7.7.5 containedIn . . . . . . . . . . . . . . . . . . . . . 86
7.8 public class GSSException extends Exception . . . . . . . 85 7.8 public class GSSException extends Exception . . . . . . . 86
7.8.1 Static Constants . . . . . . . . . . . . . . . . . . . 86 7.8.1 Static Constants . . . . . . . . . . . . . . . . . . . 87
7.8.2 Constructors . . . . . . . . . . . . . . . . . . . . . 88 7.8.2 Constructors . . . . . . . . . . . . . . . . . . . . . 89
7.8.3 getMajor . . . . . . . . . . . . . . . . . . . . . . . 89 7.8.3 getMajor . . . . . . . . . . . . . . . . . . . . . . . 90
7.8.4 getMinor . . . . . . . . . . . . . . . . . . . . . . . 89 7.8.4 getMinor . . . . . . . . . . . . . . . . . . . . . . . 90
7.8.5 getMajorString . . . . . . . . . . . . . . . . . . . . 89 7.8.5 getMajorString . . . . . . . . . . . . . . . . . . . . 90
7.8.6 getMinorString . . . . . . . . . . . . . . . . . . . . 89 7.8.6 getMinorString . . . . . . . . . . . . . . . . . . . . 90
7.8.7 setMinor . . . . . . . . . . . . . . . . . . . . . . . 89 7.8.7 setMinor . . . . . . . . . . . . . . . . . . . . . . . 90
7.8.8 toString . . . . . . . . . . . . . . . . . . . . . . . 89 7.8.8 toString . . . . . . . . . . . . . . . . . . . . . . . 90
7.8.9 getMessage . . . . . . . . . . . . . . . . . . . . . . 90 7.8.9 getMessage . . . . . . . . . . . . . . . . . . . . . . 91
8. Sample Applications . . . . . . . . . . . . . . . . . . . . 91 8. Sample Applications . . . . . . . . . . . . . . . . . . . . 92
8.1 Simple GSS Context Initiator . . . . . . . . . . . . . . . 91 8.1 Simple GSS Context Initiator . . . . . . . . . . . . . . . 92
8.2 Simple GSS Context Acceptor . . . . . . . . . . . . . . . 94 8.2 Simple GSS Context Acceptor . . . . . . . . . . . . . . . 95
9. Security Considerations . . . . . . . . . . . . . . . . . . 99 9. Security Considerations . . . . . . . . . . . . . . . . . . 100
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 100 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . 101
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 100 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 102
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 101 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 103
Intellectual Property and Copyright Statements . . . . . . . 102 12.1 Normative References . . . . . . . . . . . . . . . . . . 103
12.2 Informative References . . . . . . . . . . . . . . . . . 103
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 103
Intellectual Property and Copyright Statements . . . . . . . 105
1. Conventions Used in This Document 1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Introduction 2. Introduction
This document specifies Java language bindings for the Generic This document specifies Java language bindings for the Generic
Security Services Application Programming Interface Version 2 (GSS- Security Services Application Programming Interface Version 2 (GSS-
API). GSS-API Version 2 is described in a language independent API). GSS-API Version 2 is described in a language independent
format in RFC 2743 [GSSAPIv2-UPDATE]. The GSS-API allows a caller format in RFC 2743 [GSSAPIv2-UPDATE]. The GSS-API allows a caller
application to authenticate a principal identity, to delegate rights application to authenticate a principal identity, to delegate rights
to a peer, and to apply security services such as confidentiality and to a peer, and to apply security services such as confidentiality and
integrity on a per-message basis. integrity on a per-message basis.
This document and its predecessor RFC 2853 [JGSS] leverage the work This document and its predecessor RFC 2853 [RFC2853] leverage the
done by the WG in the area of RFC 2743 [GSSAPIv2-UPDATE] and the work done by the WG in the area of RFC 2743 [GSSAPIv2-UPDATE] and the
C-bindings RFC 2744 [GSSAPI-C]. Whenever appropriate, text has been C-bindings RFC 2744 [GSSAPI-Cbind]. Whenever appropriate, text has
used from the C-bindings RFC 2744 to explain generic concepts and been used from the C-bindings RFC 2744 to explain generic concepts
provide direction to the implementors. and provide direction to the implementors.
The design goals of this API have been to satisfy all the The design goals of this API have been to satisfy all the
functionality defined in RFC 2743 and to provide these services in an functionality defined in RFC 2743 and to provide these services in an
object oriented method. The specification also aims to satisfy the object oriented method. The specification also aims to satisfy the
needs of both types of Java application developers, those who would needs of both types of Java application developers, those who would
like access to a "system-wide" GSS-API implementation, as well as like access to a "system-wide" GSS-API implementation, as well as
those who would want to provide their own "custom" implementation. those who would want to provide their own "custom" implementation.
A "system-wide" implementation is one that is available to all A "system-wide" implementation is one that is available to all
applications in the form of a library package. It may be the applications in the form of a library package. It may be the
skipping to change at page 16, line 48 skipping to change at page 17, line 48
Using the Java security provider model insulates applications from Using the Java security provider model insulates applications from
implementation details of the services they wish to use. implementation details of the services they wish to use.
Applications can switch between providers easily and new providers Applications can switch between providers easily and new providers
can be added as needed, even at runtime. can be added as needed, even at runtime.
The GSS-API may use providers to find components for specific The GSS-API may use providers to find components for specific
underlying security mechanisms. For instance, a particular provider underlying security mechanisms. For instance, a particular provider
might contain components that will allow the GSS-API to support the might contain components that will allow the GSS-API to support the
Kerberos v5 mechanism and another might contain components to support Kerberos v5 mechanism and another might contain components to support
the SPKM mechanism. By delegating mechanism specific functionality the SPKM [RFC2025] mechanism. By delegating mechanism specific
to the components obtained from providers the GSS-API can be extended functionality to the components obtained from providers the GSS-API
to support an arbitrary list of mechanism. can be extended to support an arbitrary list of mechanism.
How the GSS-API locates and queries these providers is beyond the How the GSS-API locates and queries these providers is beyond the
scope of this document and is being deferred to a Service Provider scope of this document and is being deferred to a Service Provider
Interface (SPI) specification. The availability of such a SPI Interface (SPI) specification. The availability of such a SPI
specification is not mandatory for the adoption of this API specification is not mandatory for the adoption of this API
specification nor is it mandatory to use providers in the specification nor is it mandatory to use providers in the
implementation of a GSS-API framework. However, by using the implementation of a GSS-API framework. However, by using the
provider framework together with an SPI specification one can create provider framework together with an SPI specification one can create
an extensible and implementation independent GSS-API framework. an extensible and implementation independent GSS-API framework.
skipping to change at page 28, line 15 skipping to change at page 29, line 15
application specific data. application specific data.
Conceptually, the GSS-API concatenates the initiator and acceptor Conceptually, the GSS-API concatenates the initiator and acceptor
address information, and the application supplied byte array to form address information, and the application supplied byte array to form
an octet string. The mechanism calculates a MIC over this octet an octet string. The mechanism calculates a MIC over this octet
string and binds the MIC to the context establishment token emitted string and binds the MIC to the context establishment token emitted
by init method of the GSSContext interface. The same bindings are by init method of the GSSContext interface. The same bindings are
set by the context acceptor for its GSSContext object and during set by the context acceptor for its GSSContext object and during
processing of the accept method a MIC is calculated in the same way. processing of the accept method a MIC is calculated in the same way.
The calculated MIC is compared with that found in the token, and if The calculated MIC is compared with that found in the token, and if
the MICs differ, accept will throw a GSSException with the major the MICs differ, accept will throw a GSSException with the major code
code set to BAD_BINDINGS, and the context will not be established. set to BAD_BINDINGS, and the context will not be established. Some
Some mechanisms may include the actual channel binding data in the mechanisms may include the actual channel binding data in the token
token (rather than just a MIC); applications should therefore not use (rather than just a MIC); applications should therefore not use
confidential data as channel-binding components. confidential data as channel-binding components.
Individual mechanisms may impose additional constraints on addresses Individual mechanisms may impose additional constraints on addresses
that may appear in channel bindings. For example, a mechanism may that may appear in channel bindings. For example, a mechanism may
verify that the initiator address field of the channel binding verify that the initiator address field of the channel binding
contains the correct network address of the host system. Portable contains the correct network address of the host system. Portable
applications should therefore ensure that they either provide correct applications should therefore ensure that they either provide correct
information for the address fields, or omit setting of the addressing information for the address fields, or omit setting of the addressing
information. information.
skipping to change at page 47, line 46 skipping to change at page 48, line 46
public static final Oid NT_HOSTBASED_SERVICE public static final Oid NT_HOSTBASED_SERVICE
Oid indicating a host-based service name form. It is used to Oid indicating a host-based service name form. It is used to
represent services associated with host computers. This name form is represent services associated with host computers. This name form is
constructed using two elements, "service" and "hostname", as follows: constructed using two elements, "service" and "hostname", as follows:
service@hostname service@hostname
Values for the "service" element are registered with the IANA. It Values for the "service" element are registered with the IANA. It
represents the following value: { 1(iso), 3(org), 6(dod), represents the following value: { iso(1) member-body(2) Unites
1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) } States(840) mit(113554) infosys(1) gssapi(2) generic(1)
service_name(4) }
public static final Oid NT_USER_NAME public static final Oid NT_USER_NAME
Name type to indicate a named user on a local system. It represents Name type to indicate a named user on a local system. It represents
the following value: { iso(1) member-body(2) United States(840) the following value: { iso(1) member-body(2) United States(840)
mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) } mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
public static final Oid NT_MACHINE_UID_NAME public static final Oid NT_MACHINE_UID_NAME
Name type to indicate a numeric user identifier corresponding to a Name type to indicate a numeric user identifier corresponding to a
user on a local system. (e.g. Uid). It represents the following user on a local system. (e.g. Uid). It represents the following
value: { iso(1) member-body(2) United States(840) mit(113554) value: { iso(1) member-body(2) United States(840) mit(113554)
infosys(1) gssapi(2) generic(1) machine_uid_name(2) } infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
skipping to change at page 55, line 35 skipping to change at page 56, line 35
GSSCredential.INITIATE_ONLY(1), GSSCredential.ACCEPT_ONLY(2) GSSCredential.INITIATE_ONLY(1), GSSCredential.ACCEPT_ONLY(2)
7.3.13 equals 7.3.13 equals
public boolean equals(Object another) public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied Tests if this GSSCredential refers to the same entity as the supplied
object. The two credentials must be acquired over the same object. The two credentials must be acquired over the same
mechanisms and must refer to the same principal. Returns "true" if mechanisms and must refer to the same principal. Returns "true" if
the two GSSCredentials refer to the same entity; "false" otherwise. the two GSSCredentials refer to the same entity; "false" otherwise.
(Note that the Java language specification requires that two objects (Note that the Java language specification [JLS] requires that two
that are equal according to the equals(Object) method must return the objects that are equal according to the equals(Object) method must
same integer result when the hashCode() method is called on them.) return the same integer result when the hashCode() method is called
on them.)
Parameters: Parameters:
another Another GSSCredential object for comparison. another Another GSSCredential object for comparison.
7.4 public interface GSSContext 7.4 public interface GSSContext
This interface encapsulates the GSS-API security context and provides This interface encapsulates the GSS-API security context and provides
the security services (wrap, unwrap, getMIC, verifyMIC) that are the security services (wrap, unwrap, getMIC, verifyMIC) that are
available over the context. Security contexts are established between available over the context. Security contexts are established
peers using locally acquired credentials. Multiple contexts may between peers using locally acquired credentials. Multiple contexts
exist simultaneously between a pair of peers, using the same or may exist simultaneously between a pair of peers, using the same or
different set of credentials. GSS-API functions in a manner different set of credentials. GSS-API functions in a manner
independent of the underlying transport protocol and depends on its independent of the underlying transport protocol and depends on its
calling application to transport its tokens between peers. calling application to transport its tokens between peers.
Before the context establishment phase is initiated, the context Before the context establishment phase is initiated, the context
initiator may request specific characteristics desired of the initiator may request specific characteristics desired of the
established context. These can be set using the set methods. After established context. These can be set using the set methods. After
the context is established, the caller can check the actual the context is established, the caller can check the actual
characteristic and services offered by the context using the query characteristic and services offered by the context using the query
methods. methods.
skipping to change at page 56, line 28 skipping to change at page 57, line 29
its peer. If an error occurs at any point, an exception will get its peer. If an error occurs at any point, an exception will get
thrown and the code will start executing in a catch block. If not, thrown and the code will start executing in a catch block. If not,
the normal flow of code continues and the application can make a call the normal flow of code continues and the application can make a call
to the isEstablished() method. If this method returns false it to the isEstablished() method. If this method returns false it
indicates that a token is needed from its peer in order to continue indicates that a token is needed from its peer in order to continue
the context establishment phase. A return value of true signals that the context establishment phase. A return value of true signals that
the local end of the context is established. This may still require the local end of the context is established. This may still require
that a token be sent to the peer, if one is produced by GSS-API. that a token be sent to the peer, if one is produced by GSS-API.
During the context establishment phase, the isProtReady() method may During the context establishment phase, the isProtReady() method may
be called to determine if the context can be used for the per-message be called to determine if the context can be used for the per-message
operations. This allows applications to use per-message operations on operations. This allows applications to use per-message operations
contexts which aren't fully established. on contexts which aren't fully established.
After the context has been established or the isProtReady() method After the context has been established or the isProtReady() method
returns "true", the query routines can be invoked to determine the returns "true", the query routines can be invoked to determine the
actual characteristics and services of the established context. The actual characteristics and services of the established context. The
application can also start using the per-message methods of wrap and application can also start using the per-message methods of wrap and
getMIC to obtain cryptographic operations on application supplied getMIC to obtain cryptographic operations on application supplied
data. data.
When the context is no longer needed, the application should call When the context is no longer needed, the application should call
dispose to release any system resources the context may be using. dispose to release any system resources the context may be using.
skipping to change at page 66, line 49 skipping to change at page 67, line 49
maxTokenSize The desired maximum size of the token emitted by maxTokenSize The desired maximum size of the token emitted by
wrap. wrap.
7.4.14 wrap 7.4.14 wrap
public byte[] wrap(byte[] inBuf, int offset, int len, public byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Applies per-message security services over the established security Applies per-message security services over the established security
context. The method will return a token with a cryptographic MIC and context. The method will return a token with a cryptographic MIC and
may optionally encrypt the specified inBuf. This method is equivalent may optionally encrypt the specified inBuf. This method is
in functionality to its stream counterpart. The returned byte array equivalent in functionality to its stream counterpart. The returned
will contain both the MIC and the message. byte array will contain both the MIC and the message.
The MessageProp object is instantiated by the application and used to The MessageProp object is instantiated by the application and used to
specify a QOP value which selects cryptographic algorithms, and a specify a QOP value which selects cryptographic algorithms, and a
privacy service to optionally encrypt the message. The underlying privacy service to optionally encrypt the message. The underlying
mechanism that is used in the call may not be able to provide the mechanism that is used in the call may not be able to provide the
privacy service. It sets the actual privacy service that it does privacy service. It sets the actual privacy service that it does
provide in this MessageProp object which the caller should then query provide in this MessageProp object which the caller should then query
upon return. If the mechanism is not able to provide the requested upon return. If the mechanism is not able to provide the requested
QOP, it throws a GSSException with the BAD_QOP code. QOP, it throws a GSSException with the BAD_QOP code.
skipping to change at page 85, line 10 skipping to change at page 86, line 10
public String toString() public String toString()
Returns a string representation of the oid's integer components in Returns a string representation of the oid's integer components in
dot separated notation (e.g. "1.2.840.113554.1.2.2"). dot separated notation (e.g. "1.2.840.113554.1.2.2").
7.7.3 equals 7.7.3 equals
public boolean equals(Object Obj) public boolean equals(Object Obj)
Returns "true" if the two Oid objects represent the same oid value. Returns "true" if the two Oid objects represent the same oid value.
(Note that the Java language specification requires that two objects (Note that the Java language specification [JLS] requires that two
that are equal according to the equals(Object) method must return the objects that are equal according to the equals(Object) method must
same integer result when the hashCode() method is called on them.) return the same integer result when the hashCode() method is called
on them.)
Parameters: Parameters:
obj Another Oid object to compare with. obj Another Oid object to compare with.
7.7.4 getDER 7.7.4 getDER
public byte[] getDER() public byte[] getDER()
Returns the full ASN.1 DER encoding for this oid object, which Returns the full ASN.1 DER encoding for this oid object, which
skipping to change at page 96, line 38 skipping to change at page 97, line 38
public void run() { public void run() {
byte[] inToken = null; byte[] inToken = null;
byte[] outToken = null; byte[] outToken = null;
byte[] buffer; byte[] buffer;
GSSName peer; GSSName peer;
// Container for multiple input-output arguments to // Container for multiple input-output arguments to
// and from the per-message routines // and from the per-message routines
// (ie. wrap/unwrap). // (i.e. wrap/unwrap).
MessageProp supplInfo = new MessageProp(); MessageProp supplInfo = new MessageProp();
GSSContext secContext = null; GSSContext secContext = null;
try { try {
// Now do the context establishment loop // Now do the context establishment loop
GSSContext context = mgr.createContext(cred); GSSContext context = mgr.createContext(cred);
skipping to change at page 100, line 5 skipping to change at page 101, line 5
1) To install the provider on a JVM wide basis using the 1) To install the provider on a JVM wide basis using the
java.security.Security class and then depend on the system to find java.security.Security class and then depend on the system to find
the right provider automatically when the need arises. (This would the right provider automatically when the need arises. (This would
require the application to be granted a "insertProvider require the application to be granted a "insertProvider
SecurityPermission".) SecurityPermission".)
2) To pass an instance of the provider to the local instance of 2) To pass an instance of the provider to the local instance of
GSSManager so that only factory calls going through that GSSManager GSSManager so that only factory calls going through that GSSManager
use the desired provider. (This would not require any permissions.) use the desired provider. (This would not require any permissions.)
10. Acknowledgments 10. IANA Considerations
This document has no IANA considerations currently.
11. Acknowledgments
This proposed API leverages earlier work performed by the IETF's CAT This proposed API leverages earlier work performed by the IETF's CAT
WG as outlined in both RFC 2743 and RFC 2744. Many conceptual WG as outlined in both RFC 2743 and RFC 2744. Many conceptual
definitions, implementation directions, and explanations have been definitions, implementation directions, and explanations have been
included from these documents. included from these documents.
We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael
Saltz and other members of Sun's development team for their helpful Saltz and other members of Sun's development team for their helpful
input, comments and suggestions. input, comments and suggestions.
We would also like to thank Joe Salowey, and Michael Smith for many We would also like to thank Joe Salowey, and Michael Smith for many
insightful ideas and suggestions that have contributed to this insightful ideas and suggestions that have contributed to this
document. document.
11. References 12. References
12.1 Normative References
[RFC2853] Kabat, J. and M. Upadhyay, "Generic Security Service [RFC2853] Kabat, J. and M. Upadhyay, "Generic Security Service
Application Program Interface : Java Bindings", RFC 2853, Application Program Interface : Java Bindings", RFC 2853,
June 2000. June 2000.
[GSSAPIv2]
Linn, J., "Generic Security Service Application Program
Interface, Version 2", RFC 2078, January 1997.
[GSSAPIv2-UPDATE] [GSSAPIv2-UPDATE]
Linn, J., "Generic Security Service Application Program Linn, J., "Generic Security Service Application Program
Interface, Version 2, Update 1", RFC 2743, January 2000. Interface, Version 2, Update 1", RFC 2743, January 2000.
[GSSAPI-Cbind] [GSSAPI-Cbind]
Wray, J., "Generic Security Service API Version 2 : Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000. C-bindings", RFC 2744, January 2000.
[KERBV5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
RFC 1964, June 1996. Requirement Levels", BCP 14, RFC 2119, March 1997.
[SPKM] Adams, C., "The Simple Public-Key GSS-API Mechanism", [RFC4121] Zhu, L. and S. Hartman, "The Kerberos Version 5 Generic
Security Service Application Program Interface (GSS-API)
Mechanism: Version 2", RFC 4121, July 2005.
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism",
RFC 2025, October 1996. RFC 2025, October 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 12.2 Informative References
Requirement Levels", BCP 14, RFC 2119, March 1997.
[JLS] Gosling, J., "The Java Language Specification", JLS langspec.
Authors' Addresses Authors' Addresses
Mayank D. Upadhyay Mayank D. Upadhyay
Google Inc. Google Inc.
1600 Amphitheatre Parkway 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
USA USA
Email: mayank+ietf-2853@google.com Email: mayank+ietf-2853@google.com
 End of changes. 24 change blocks. 
235 lines changed or deleted 249 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/