rfc2853.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

      BAD_NAMETYPE             3     A supplied name was of an
                                     unsupported type.

      BAD_BINDINGS             4     Incorrect channel bindings were
                                     supplied.

      BAD_STATUS               5     An invalid status code was
                                     supplied.

      BAD_MIC                  6     A token had an invalid MIC.

      NO_CRED                  7     No credentials were supplied, or
                                     the credentials were unavailable
                                     or inaccessible.

      NO_CONTEXT               8     Invalid context has been
                                     supplied.

      DEFECTIVE_TOKEN          9     A supplied token was invalid.

      DEFECTIVE_CREDENTIAL    10     A supplied credential was
                                     invalid.

      CREDENTIALS_EXPIRED     11     The referenced credentials
                                     have expired.

      CONTEXT_EXPIRED         12     The context has expired.

      FAILURE                 13     Miscellaneous failure,
                                     unspecified at the GSS-API level.

      BAD_QOP                 14     The quality-of-protection
                                     requested could not be provided.



Kabat & Upadhyay            Standards Track                    [Page 20]

RFC 2853                 GSS-API Java Bindings                 June 2000


      UNAUTHORIZED            15     The operation is forbidden by
                                     local security policy.

      UNAVAILABLE             16     The operation or option is
                                     unavailable.

      DUPLICATE_ELEMENT       17     The requested credential
                                     element already exists.

      NAME_NOT_MN             18     The provided name was not a
                                     mechanism name.

      OLD_TOKEN               19     The token's validity period has
                                     expired.

      DUPLICATE_TOKEN         20     The token was a duplicate of an
                                     earlier version.

   The GSS major status code of FAILURE is used to indicate that the
   underlying mechanism detected an error for which no specific GSS
   status code is defined.  The mechanism-specific status code can
   provide more details about the error.

   The different major status codes that can be contained in the
   GSSException object thrown by the methods in this specification are
   the same as the major status codes returned by the corresponding
   calls in RFC 2743 [GSSAPIv2-UPDATE].

4.12.2.  Mechanism-specific status codes

   Mechanism-specific status codes are communicated in two ways, they
   are part of any GSSException thrown from the mechanism specific layer
   to signal a fatal error, or they are part of the MessageProp object
   that the per-message calls use to signal non-fatal errors.

   A default value of 0 in either the GSSException object or the
   MessageProp object will be used to represent the absence of any
   mechanism specific status code.

4.12.3.  Supplementary status codes

   Supplementary status codes are confined to the per-message methods of
   the GSSContext interface.  Because of the informative nature of these
   errors it is not appropriate to use exceptions to signal them.
   Instead, the per-message operations of the GSSContext interface
   return these values in a MessageProp object.





Kabat & Upadhyay            Standards Track                    [Page 21]

RFC 2853                 GSS-API Java Bindings                 June 2000


   The MessageProp class defines query methods which return boolean
   values indicating the following supplementary states:

      Table: Supplementary Status Methods

      Method Name       Meaning when "true" is returned

      isDuplicateToken   The token was a duplicate of an
                         earlier token.

      isOldToken         The token's validity period has
                         expired.

      isUnseqToken       A later token has already been
                         processed.

      isGapToken         An expected per-message token was
                         not received.

   "true" return value for any of the above methods indicates that the
   token exhibited the specified property.  The application must
   determine the appropriate course of action for these supplementary
   values.  They are not treated as errors by the GSS-API.

4.13.  Names

   A name is used to identify a person or entity.  GSS-API authenticates
   the relationship between a name and the entity claiming the name.

   Since different authentication mechanisms may employ different
   namespaces for identifying their principals, GSS-API's naming support
   is necessarily complex in multi-mechanism environments (or even in
   some single-mechanism environments where the underlying mechanism
   supports multiple namespaces).

   Two distinct conceptual representations are defined for names:

   1) A GSS-API form represented by implementations of the GSSName
      interface: A single GSSName object may contain multiple names from
      different namespaces, but all names should refer to the same
      entity.  An example of such an internal name would be the name
      returned from a call to the getName method of the GSSCredential
      interface, when applied to a credential containing credential
      elements for multiple authentication mechanisms employing
      different namespaces.  This GSSName object will contain a distinct
      name for the entity for each authentication mechanism.





Kabat & Upadhyay            Standards Track                    [Page 22]

RFC 2853                 GSS-API Java Bindings                 June 2000


      For GSS-API implementations supporting multiple namespaces,
      GSSName implementations must contain sufficient information to
      determine the namespace to which each primitive name belongs.

   2) Mechanism-specific contiguous byte array and string forms:
      Different GSSName initialization methods are provided to handle
      both byte array and string formats and to accommodate various
      calling applications and name types.  These formats are capable of
      containing only a single name (from a single namespace).
      Contiguous string names are always accompanied by an object
      identifier specifying the namespace to which the name belongs, and
      their format is dependent on the authentication mechanism that
      employs that name.  The string name forms are assumed to be
      printable, and may therefore be used by GSS-API applications for
      communication with their users.  The byte array name formats are
      assumed to be in non-printable formats (e.g.  the byte array
      returned from the export method of the GSSName interface).

   A GSSName object can be converted to a contiguous representation by
   using the toString method.  This will guarantee that the name will be
   converted to a printable format.  Different initialization methods in
   the GSSName interface are defined allowing support for multiple
   syntaxes for each supported namespace, and allowing users the freedom
   to choose a preferred name representation.  The toString method
   should use an implementation-chosen printable syntax for each
   supported name-type.  To obtain the printable name type,
   getStringNameType method can be used.

   There is no guarantee that calling the toString method on the GSSName
   interface will produce the same string form as the original imported
   string name.  Furthermore, it is possible that the name was not even
   constructed from a string representation.  The same applies to name-
   space identifiers which may not necessarily survive unchanged after a
   journey through the internal name-form.  An example of this might be
   a mechanism that authenticates X.500 names, but provides an
   algorithmic mapping of Internet DNS names into X.500.  That
   mechanism's implementation of GSSName might, when presented with a
   DNS name, generate an internal name that contained both the original
   DNS name and the equivalent X.500 name.  Alternatively, it might only
   store the X.500 name.  In the latter case, the toString method of
   GSSName would most likely generate a printable X.500 name, rather
   than the original DNS name.

   The context acceptor can obtain a GSSName object representing the
   entity performing the context initiation (through the usage of
   getSrcName method).  Since this name has been authenticated by a
   single mechanism, it contains only a single name (even if the
   internal name presented by the context initiator to the GSSContext



Kabat & Upadhyay            Standards Track                    [Page 23]

RFC 2853                 GSS-API Java Bindings                 June 2000


   object had multiple components).  Such names are termed internal
   mechanism names, or "MN"s and the names emitted by GSSContext
   interface in the getSrcName and getTargName are always of this type.
   Since some applications may require MNs without wanting to incur the
   overhead of an authentication operation, creation methods are
   provided that take not only the name buffer and name type, but also
   the mechanism oid for which this name should be created.  When
   dealing with an existing GSSName object, the canonicalize method may
   be invoked to convert a general internal name into an MN.

   GSSName objects can be compared using their equal method, which
   returns "true" if the two names being compared refer to the same
   entity.  This is the preferred way to perform name comparisons
   instead of using the printable names that a given GSS-API
   implementation may support.  Since GSS-API assumes that all primitive
   names contained within a given internal name refer to the same
   entity, equal can return "true" if the two names have at least one
   primitive name in common.  If the implementation embodies knowledge
   of equivalence relationships between names taken from different
   namespaces, this knowledge may also allow successful comparisons of
   internal names containing no overlapping primitive elements.

   When used in large access control lists, the overhead of creating an
   GSSName object on each name and invoking the equal method on each
   name from the ACL may be prohibitive.  As an alternative way of
   supporting this case, GSS-API defines a special form of the
   contiguous byte array name which may be compared directly (byte by
   byte).  Contiguous names suitable for comparison are generated by the
   export method.  Exported names may be re-imported by using the byte
   array constructor and specifying the NT_EXPORT_NAME as the name type
   object identifier.  The resulting GSSName name will also be a MN.
   The GSSName interface defines public static Oid objects representing
   the standard name types.  Structurally, an exported name object
   consists of a header containing an OID identifying the mechanism that
   authenticated the name, and a trailer containing the name itself,
   where the syntax of the trailer is defined by the individual
   mechanism specification.  Detailed description of the format is
   specified in the language-independent GSS-API specification
   [GSSAPIv2-UPDATE].

   Note that the results obtained by using the equals method will in
   general be different from those obtained by invoking canonicalize and
   export, and then comparing the byte array output.  The first series
   of operation determines whether two (unauthenticated) names identify
   the same principal; the second whether a particular mechanism would
   authenticate them as the same principal.  These two operations will
   in general give the same results only for MNs.




Kabat & Upadhyay            Standards Track                    [Page 24]

RFC 2853                 GSS-API Java Bindings                 June 2000


   It is important to note that the above are guidelines as how GSSName
   implementati