rfc1508.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

      GSS_Unseal                   decapsulate, decrypt if needed,
                                   validate signature

      SUPPORT CALLS

      GSS_Display_status           translate status codes to printable
                                   form
      GSS_Indicate_mechs           indicate mech_types supported on
                                   local system
      GSS_Compare_name             compare two names for equality
      GSS_Display_name             translate name to printable form
      GSS_Import_name              convert printable name to
                                   normalized form
      GSS_Release_name             free storage of normalized-form
                                   name
      GSS_Release_buffer           free storage of printable name
      GSS_Release_oid_set          free storage of OID set object







Linn                                                           [Page 16]

RFC 1508               Generic Security Interface         September 1993


2.1.  Credential management calls

   These GSS-API calls provide functions related to the management of
   credentials. Their characterization with regard to whether or not
   they may block pending exchanges with other network entities (e.g.,
   directories or authentication servers) depends in part on OS-specific
   (extra-GSS-API) issues, so is not specified in this document.

   The GSS_Acquire_cred()  call is defined within the GSS-API in support
   of application portability, with a particular orientation towards
   support of portable server applications. It is recognized that (for
   certain systems and mechanisms) credentials for interactive users may
   be managed differently from credentials for server processes; in such
   environments, it is the GSS-API implementation's responsibility to
   distinguish these cases and the procedures for making this
   distinction are a local matter. The GSS_Release_cred()  call provides
   a means for callers to indicate to the GSS-API that use of a
   credentials structure is no longer required. The GSS_Inquire_cred()
   call allows callers to determine information about a credentials
   structure.

2.1.1.  GSS_Acquire_cred call

   Inputs:

   o  desired_name INTERNAL NAME, -NULL requests locally-determined
      default

   o  lifetime_req INTEGER,-in seconds; 0 requests default

   o  desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests
      system-selected default

   o  cred_usage INTEGER-0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
      2=ACCEPT-ONLY

   Outputs:

   o  major_status INTEGER,

   o  minor_status INTEGER,

   o  output_cred_handle OCTET STRING,

   o  actual_mechs SET OF OBJECT IDENTIFIER,

   o  lifetime_rec INTEGER -in seconds, or reserved value for
      INDEFINITE



Linn                                                           [Page 17]

RFC 1508               Generic Security Interface         September 1993


   Return major_status codes:

   o  GSS_COMPLETE indicates that requested credentials were
      successfully established, for the duration indicated in
      lifetime_rec, suitable for the usage requested in cred_usage, for
      the set of mech_types indicated in actual_mechs, and that those
      credentials can be referenced for subsequent use with the handle
      returned in output_cred_handle.

   o  GSS_BAD_MECH indicates that a mech_type unsupported by the GSS-API
      implementation type was requested, causing the credential
      establishment operation to fail.

   o  GSS_BAD_NAMETYPE indicates that the provided desired_name is
      uninterpretable or of a type unsupported by the supporting GSS-API
      implementation, so no credentials could be established for the
      accompanying desired_name.

   o  GSS_BAD_NAME indicates that the provided desired_name is
      inconsistent in terms of internally-incorporated type specifier
      information, so no credentials could be established for the
      accompanying desired_name.

   o  GSS_FAILURE indicates that credential establishment failed for
      reasons unspecified at the GSS-API level, including lack of
      authorization to establish and use credentials associated with the
      identity named in the input desired_name argument.

   GSS_Acquire_cred()  is used to acquire credentials so that a
   principal can (as a function of the input cred_usage parameter)
   initiate and/or accept security contexts under the identity
   represented by the desired_name input argument. On successful
   completion, the returned output_cred_handle result provides a handle
   for subsequent references to the acquired credentials.  Typically,
   single-user client processes using only default credentials for
   context establishment purposes will have no need to invoke this call.

   A caller may provide the value NULL for desired_name, signifying a
   request for credentials corresponding to a default principal
   identity.  The procedures used by GSS-API implementations to select
   the appropriate principal identity in response to this form of
   request are local matters. It is possible that multiple pre-
   established credentials may exist for the same principal identity
   (for example, as a result of multiple user login sessions) when
   GSS_Acquire_cred() is called; the means used in such cases to select
   a specific credential are local matters.  The input lifetime_req
   argument to GSS_Acquire_cred() may provide useful information for
   local GSS-API implementations to employ in making this disambiguation



Linn                                                           [Page 18]

RFC 1508               Generic Security Interface         September 1993


   in a manner which will best satisfy a caller's intent.

   The lifetime_rec result indicates the length of time for which the
   acquired credentials will be valid, as an offset from the present. A
   mechanism may return a reserved value indicating INDEFINITE if no
   constraints on credential lifetime are imposed.  A caller of
   GSS_Acquire_cred()  can request a length of time for which acquired
   credentials are to be valid (lifetime_req argument), beginning at the
   present, or can request credentials with a default validity interval.
   (Requests for postdated credentials are not supported within the
   GSS-API.) Certain mechanisms and implementations may bind in
   credential validity period specifiers at a point preliminary to
   invocation of the GSS_Acquire_cred() call (e.g., in conjunction with
   user login procedures). As a result, callers requesting non-default
   values for lifetime_req must recognize that such requests cannot
   always be honored and must be prepared to accommodate the use of
   returned credentials with different lifetimes as indicated in
   lifetime_rec.

   The caller of GSS_Acquire_cred() can explicitly specify a set of
   mech_types which are to be accommodated in the returned credentials
   (desired_mechs argument), or can request credentials for a system-
   defined default set of mech_types. Selection of the system-specified
   default set is recommended in the interests of application
   portability. The actual_mechs return value may be interrogated by the
   caller to determine the set of mechanisms with which the returned
   credentials may be used.

2.1.2.  GSS_Release_cred call

   Input:

   o  cred_handle OCTET STRING-NULL specifies default credentials

   Outputs:

   o  major_status INTEGER,

   o  minor_status INTEGER

   Return major_status codes:

   o  GSS_COMPLETE indicates that the credentials referenced by the
      input cred_handle were released for purposes of subsequent access
      by the caller. The effect on other processes which may be
      authorized shared access to such credentials is a local matter.





Linn                                                           [Page 19]

RFC 1508               Generic Security Interface         September 1993


   o  GSS_NO_CRED indicates that no release operation was performed,
      either because the input cred_handle was invalid or because the
      caller lacks authorization to access the referenced credentials.

   o  GSS_FAILURE indicates that the release operation failed for
      reasons unspecified at the GSS-API level.

   Provides a means for a caller to explicitly request that credentials
   be released when their use is no longer required. Note that system-
   specific credential management functions are also likely to exist,
   for example to assure that credentials shared among processes are
   properly deleted when all affected processes terminate, even if no
   explicit release requests are issued by those processes.  Given the
   fact that multiple callers are not precluded from gaining authorized
   access to the same credentials, invocation of GSS_Release_cred()
   cannot be assumed to delete a particular set of credentials on a
   system-wide basis.

2.1.3.  GSS_Inquire_cred call

      Input:

      o  cred_handle OCTET STRING -NULL specifies default credentials

      Outputs:

      o  major_status INTEGER,

      o  minor_status INTEGER,

      o  cred_name INTERNAL NAME,

      o  lifetime_rec INTEGER -in seconds, or reserved value for
         INDEFINITE

      o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
         2=ACCEPT-ONLY

      o  mech_set SET OF OBJECT IDENTIFIER

      Return major_status codes:

      o  GSS_COMPLETE indicates that the credentials referenced by the
         input cred_handle argument were valid, and that the output
         cred_name, lifetime_rec, and cred_usage values represent,
         respectively, the credentials' associated principal name,
         remaining lifetime, suitable usage modes, and supported
         mechanism types.



Linn                                                           [Page 20]

RFC 1508               Generic Security Interface         September 1993


      o  GSS_NO_CRED indicates that no information could be returned
         about the referenced credentials, either because the input
         cred_handle was invalid or because the caller lacks
         authorization to access the referenced credentials.

      o  GSS_FAILURE indicates that the release operation failed for
         reasons unspecified at the GSS-API level.

   The GSS_Inquire_cred()  call is defined primarily for the use of
   those callers which make use of default credentials rather than
   acquiring credentials explicitly with GSS_Acquire_cred().  It enables
   callers to determine a credential structure's associated principal
   name, remaining validity period, usability for security context
   initiation and/or acceptance, and supported mechanisms.

2.2.  Context-level calls

   This group of calls is devoted to the establishment and management of
   security contexts between peers. A context's initiator calls
   GSS_Init_sec_context(),  resulting in generation of a token which the
   caller passes to the target. At the target, that token is passed to
   GSS_Accept_sec_context().  Depending on the underlying mech_type and
   specified options, additional token exchanges may be performed in the
   course of context establishment; such exchanges are accommodated by
   GSS_CONTINUE_NEEDED status returns from GSS_Init_sec_context()  and
   GSS_Accept_sec_context().  Either party to an established context may
   invoke GSS_Delete_sec_context()  to flush context information when a
   context is no longer required. GSS_Process_context_token()  is used
   to process received tokens carrying context-level control
   information. GSS_Context_time()  allows a caller to determine the
   length of time for which an established context will remain valid.

2.2.1.  GSS_Init_sec_context call

   Inputs:

   o  claimant_cred_handle OCTET STRING, -NULL specifies "use
      default"