1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
|
Internet Engineering Task Force (IETF) S. Josefsson
Request for Comments: 5801 SJD AB
Category: Standards Track N. Williams
ISSN: 2070-1721 Oracle
July 2010
Using Generic Security Service Application Program Interface (GSS-API)
Mechanisms in Simple Authentication and Security Layer (SASL):
The GS2 Mechanism Family
Abstract
This document describes how to use a Generic Security Service
Application Program Interface (GSS-API) mechanism in the Simple
Authentication and Security Layer (SASL) framework. This is done by
defining a new SASL mechanism family, called GS2. This mechanism
family offers a number of improvements over the previous "SASL/
GSSAPI" mechanism: it is more general, uses fewer messages for the
authentication phase in some cases, and supports negotiable use of
channel binding. Only GSS-API mechanisms that support channel
binding and mutual authentication are supported.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5801.
Josefsson & Williams Standards Track [Page 1]
^L
RFC 5801 SASL GS2-* July 2010
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Josefsson & Williams Standards Track [Page 2]
^L
RFC 5801 SASL GS2-* July 2010
Table of Contents
1. Introduction ....................................................4
2. Conventions Used in This Document ...............................5
3. Mechanism Name ..................................................5
3.1. Generating SASL Mechanism Names from GSS-API OIDs ..........5
3.2. Computing Mechanism Names Manually .........................6
3.3. Examples ...................................................6
3.4. Grandfathered Mechanism Names ..............................7
4. SASL Authentication Exchange Message Format .....................8
5. Channel Bindings ...............................................10
5.1. Content of GSS-CHANNEL-BINDINGS Structure .................11
5.2. Default Channel Binding ...................................12
6. Examples .......................................................12
7. Authentication Conditions ......................................14
8. GSS-API Parameters .............................................15
9. Naming .........................................................15
10. GSS_Inquire_SASLname_for_mech Call ............................15
10.1. gss_inquire_saslname_for_mech ............................16
11. GSS_Inquire_mech_for_SASLname Call ............................18
11.1. gss_inquire_mech_for_saslname ............................19
12. Security Layers ...............................................20
13. Interoperability with the SASL GSSAPI Mechanism ...............20
13.1. The Interoperability Problem .............................20
13.2. Resolving the Problem ....................................20
13.3. Additional Recommendations ...............................20
14. GSS-API Mechanisms That Negotiate Other Mechanisms ............21
14.1. The Interoperability Problem .............................21
14.2. Security Problem .........................................21
14.3. Resolving the Problems ...................................21
15. IANA Considerations ...........................................22
16. Security Considerations .......................................22
17. Acknowledgements ..............................................24
18. References ....................................................24
18.1. Normative References .....................................24
18.2. Informative References ...................................25
Josefsson & Williams Standards Track [Page 3]
^L
RFC 5801 SASL GS2-* July 2010
1. Introduction
Generic Security Service Application Program Interface (GSS-API)
[RFC2743] is a framework that provides security services to
applications using a variety of authentication mechanisms. Simple
Authentication and Security Layer (SASL) [RFC4422] is a framework to
provide authentication and security layers for connection-based
protocols, also using a variety of mechanisms. This document
describes how to use a GSS-API mechanism as though it were a SASL
mechanism. This facility is called GS2 -- a moniker that indicates
that this is the second GSS-API->SASL mechanism bridge. The original
GSS-API->SASL mechanism bridge was specified by [RFC2222], now
[RFC4752]; we shall sometimes refer to the original bridge as GS1 in
this document.
All GSS-API mechanisms are implicitly registered for use within SASL
by this specification. The SASL mechanisms defined in this document
are known as the GS2 family of mechanisms.
The GS1 bridge failed to gain wide deployment for any GSS-API
mechanism other than "The Kerberos Version 5 GSS-API Mechanism"
[RFC1964] [RFC4121], and has a number of problems that led us to
desire a new bridge. Specifically, a) GS1 was not round-trip
optimized and b) GS1 did not support channel binding [RFC5056].
These problems and the opportunity to create the next SASL password-
based mechanism, "Salted Challenge Response Authentication Mechanism
(SCRAM) SASL and GSS-API Mechanisms" [RFC5802], as a GSS-API
mechanism used by SASL applications via GS2, provide the motivation
for GS2.
In particular, the current consensus of the SASL community appears to
be that SASL "security layers" (i.e., confidentiality and integrity
protection of application data after authentication) are too complex
and redundant because SASL applications tend to have an option to run
over a Transport Layer Security (TLS) [RFC5246] channel. Use of SASL
security layers is best replaced with channel binding to a TLS
channel.
GS2 is designed to be as simple as possible. It adds to GSS-API
security context token exchanges only the bare minimum to support
SASL semantics and negotiation of use of channel binding.
Specifically, GS2 adds a small header (a few bytes plus the length of
the client-requested SASL authorization identity) to the initial GSS-
API context token and to the application channel binding data. GS2
uses SASL mechanism negotiation to implement channel binding
negotiation. Security-relevant GS2 plaintext is protected via the
use of GSS-API channel binding. Additionally, to simplify the
Josefsson & Williams Standards Track [Page 4]
^L
RFC 5801 SASL GS2-* July 2010
implementation of GS2 mechanisms for implementors who will not
implement a GSS-API framework, we compress the initial security
context token header required by [RFC2743], Section 3.1.
GS2 does not protect any plaintext exchanged outside GS2, such as
SASL mechanism negotiation plaintext, or application messages
following authentication. But using channel binding to a secure
channel over which all SASL and application plaintext is sent will
cause all that plaintext to be authenticated.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The document uses many terms and function names defined in [RFC2743],
as updated by [RFC5554].
3. Mechanism Name
There are two SASL mechanism names for any GSS-API mechanism used
through this facility. One denotes that the server supports channel
binding. The other denotes that it does not.
The SASL mechanism name for a GSS-API mechanism is that which is
provided by that mechanism when it was specified, if one was
specified. This name denotes that the server does not support
channel binding. Add the suffix "-PLUS" and the resulting name
denotes that the server does support channel binding. SASL
implementations can use the GSS_Inquire_SASLname_for_mech call (see
below) to query for the SASL mechanism name of a GSS-API mechanism.
If the GSS_Inquire_SASLname_for_mech interface is not used, the GS2
implementation needs some other mechanism to map mechanism Object
Identifiers (OIDs) to SASL names internally. In this case, the
implementation can only support the mechanisms for which it knows the
SASL name. If GSS_Inquire_SASLname_for_mech() fails and the GS2
implementation cannot map the OID to a SASL mechanism name via some
other means, then the GS2 implementation MUST NOT use the given GSS-
API mechanism.
3.1. Generating SASL Mechanism Names from GSS-API OIDs
For GSS-API mechanisms whose SASL names are not defined together with
the GSS-API mechanism or in this document, the SASL mechanism name is
concatenation of the string "GS2-" and the Base32 encoding [RFC4648]
(with an uppercase alphabet) of the first 55 bits of the binary SHA-1
Josefsson & Williams Standards Track [Page 5]
^L
RFC 5801 SASL GS2-* July 2010
hash [FIPS.180-1.1995] string computed over the ASN.1 DER encoding
[CCITT.X690.2002], including the tag and length octets, of the GSS-
API mechanism's Object Identifier. The Base32 rules on padding
characters and characters outside of the Base32 alphabet are not
relevant to this use of Base32. If any padding or non-alphabet
characters are encountered, the name is not a GS2 family mechanism
name. This name denotes that the server does not support channel
binding. Add the suffix "-PLUS" and the resulting name denotes that
the server does support channel binding.
A GS2 mechanism that has a non-OID-derived SASL mechanism name is
said to have a "user-friendly SASL mechanism name".
3.2. Computing Mechanism Names Manually
The hash-derived GS2 SASL mechanism name may be computed manually.
This is useful when the set of supported GSS-API mechanisms is known
in advance. This eliminates the need to implement Base32, SHA-1, and
DER in the SASL mechanism. The computed mechanism name can be used
directly in the implementation, and the implementation need not be
concerned if the mechanism is part of a mechanism family.
3.3. Examples
The OID for the Simple Public-Key GSS-API Mechanism (SPKM-1)
[RFC2025] is 1.3.6.1.5.5.1.1. The ASN.1 DER encoding of the OID,
including the tag and length, is (in hex) 06 07 2b 06 01 05 05 01 01.
The SHA-1 hash of the ASN.1 DER encoding is (in hex) 1c f8 f4 2b 5a
9f 80 fa e9 f8 31 22 6d 5d 9d 56 27 86 61 ad. Convert the first 7
octets to binary, drop the last bit, and re-group them in groups of
5, and convert them back to decimal, which results in these
computations:
hex:
1c f8 f4 2b 5a 9f 80
binary:
00011100 11111000 11110100 00101011 01011010
10011111 1000000
binary in groups of 5:
00011 10011 11100 01111 01000 01010 11010 11010
10011 11110 00000
decimal of each group:
3 19 28 15 8 10 26 26 19 30 0
Josefsson & Williams Standards Track [Page 6]
^L
RFC 5801 SASL GS2-* July 2010
base32 encoding:
D T 4 P I K 2 2 T 6 A
The last step translates each decimal value using table 3 in Base32
[RFC4648]. Thus, the SASL mechanism name for the SPKM-1 GSSAPI
mechanism is "GS2-DT4PIK22T6A".
The OID for the Kerberos V5 GSS-API mechanism [RFC1964] is
1.2.840.113554.1.2.2 and its DER encoding is (in hex) 06 09 2A 86 48
86 F7 12 01 02 02. The SHA-1 hash is 82 d2 73 25 76 6b d6 c8 45 aa
93 25 51 6a fc ff 04 b0 43 60. Convert the 7 octets to binary, drop
the last bit, and re-group them in groups of 5, and convert them back
to decimal, which results in these computations:
hex:
82 d2 73 25 76 6b d6
binary:
10000010 11010010 01110011 00100101 01110110
01101011 1101011
binary in groups of 5:
10000 01011 01001 00111 00110 01001 01011 10110
01101 01111 01011
decimal of each group:
16 11 9 7 6 9 11 22 13 15 11
base32 encoding:
Q L J H G J L W N P L
The last step translates each decimal value using table 3 in Base32
[RFC4648]. Thus, the SASL mechanism name for the Kerberos V5 GSS-API
mechanism would be "GS2-QLJHGJLWNPL" and (because this mechanism
supports channel binding) "GS2-QLJHGJLWNPL-PLUS". Instead, the next
section assigns the Kerberos V5 mechanism a non-hash-derived
mechanism name.
3.4. Grandfathered Mechanism Names
Some older GSS-API mechanisms were not specified with a SASL GS2
mechanism name. Using a shorter name can be useful, nonetheless. We
specify the names "GS2-KRB5" and "GS2-KRB5-PLUS" for the Kerberos V5
mechanism, to be used as if the original specification documented it,
see Section 15.
Josefsson & Williams Standards Track [Page 7]
^L
RFC 5801 SASL GS2-* July 2010
4. SASL Authentication Exchange Message Format
During the SASL authentication exchange for GS2, a number of messages
following the following format are sent between the client and
server. On success, this number is the same as the number of context
tokens that the GSS-API mechanism would normally require in order to
establish a security context. On failures, the exchange can be
terminated early by any party.
When using a GS2 mechanism the SASL client is always a GSS-API
initiator and the SASL server is always a GSS-API acceptor. The
client calls GSS_Init_sec_context and the server calls
GSS_Accept_sec_context.
All the SASL authentication messages exchanged are exactly the same
as the security context tokens of the GSS-API mechanism, except for
the initial security context token.
The client and server MAY send GSS-API error tokens (tokens output by
GSS_Init_sec_context() or GSS_Accept_sec_context() when the major
status code is other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED).
As this indicates an error condition, after sending the token, the
sending side should fail the authentication.
The initial security context token is modified as follows:
o The initial context token header (see Section 3.1 of [RFC2743])
MUST be removed if present. If the header is not present, the
client MUST send a "gs2-nonstd-flag" flag (see below). On the
server side, this header MUST be recomputed and restored prior to
passing the token to GSS_Accept_sec_context, except when the "gs2-
nonstd-flag" is sent.
o A GS2 header MUST be prefixed to the resulting initial context
token. This header has the form "gs2-header" given below in ABNF
[RFC5234].
The figure below describes the permissible attributes, their use, and
the format of their values. All attribute names are single US-ASCII
letters and are case sensitive.
Josefsson & Williams Standards Track [Page 8]
^L
RFC 5801 SASL GS2-* July 2010
UTF8-1-safe = %x01-2B / %x2D-3C / %x3E-7F
;; As UTF8-1 in RFC 3629 except
;; NUL, "=", and ",".
UTF8-2 = <as defined in RFC 3629 (STD 63)>
UTF8-3 = <as defined in RFC 3629 (STD 63)>
UTF8-4 = <as defined in RFC 3629 (STD 63)>
UTF8-char-safe = UTF8-1-safe / UTF8-2 / UTF8-3 / UTF8-4
saslname = 1*(UTF8-char-safe / "=2C" / "=3D")
gs2-authzid = "a=" saslname
;; GS2 has to transport an authzid since
;; the GSS-API has no equivalent
gs2-nonstd-flag = "F"
;; "F" means the mechanism is not a
;; standard GSS-API mechanism in that the
;; RFC 2743, Section 3.1 header was missing
cb-name = 1*(ALPHA / DIGIT / "." / "-")
;; See RFC 5056, Section 7.
gs2-cb-flag = ("p=" cb-name) / "n" / "y"
;; GS2 channel binding (CB) flag
;; "p" -> client supports and used CB
;; "n" -> client does not support CB
;; "y" -> client supports CB, thinks the server
;; does not
gs2-header = [gs2-nonstd-flag ","] gs2-cb-flag "," [gs2-authzid] ","
;; The GS2 header is gs2-header.
When the "gs2-nonstd-flag" flag is present, the client did not find/
remove a token header ([RFC2743], Section 3.1) from the initial token
returned by GSS_Init_sec_context. This signals to the server that it
MUST NOT re-add the data that is normally removed by the client.
The "gs2-cb-flag" signals the channel binding mode. One of "p", "n",
or "y" is used. A "p" means the client supports and used a channel
binding, and the name of the channel binding type is indicated. An
"n" means that the client does not support channel binding. A "y"
means the client supports channel binding, but believes the server
does not support it, so it did not use a channel binding. See the
next section for more details.
The "gs2-authzid" holds the SASL authorization identity. It is
encoded using UTF-8 [RFC3629] with three exceptions:
o The NUL character is forbidden as required by section 3.4.1 of
[RFC4422].
o The server MUST replace any "," (comma) in the string with "=2C".
Josefsson & Williams Standards Track [Page 9]
^L
RFC 5801 SASL GS2-* July 2010
o The server MUST replace any "=" (equals) in the string with "=3D".
Upon receipt of this value, the server verifies its correctness
according to the used SASL protocol profile. Failed verification
results in a failed authentication exchange.
5. Channel Bindings
GS2 supports channel binding to external secure channels, such as
TLS. Clients and servers may or may not support channel binding;
therefore, the use of channel binding is negotiable. However, GS2
does not provide security layers; therefore, it is imperative that
GS2 provide integrity protection for the negotiation of channel
binding.
Use of channel binding is negotiated as follows:
o Servers that support the use of channel binding SHOULD advertise
both the non-PLUS and PLUS-variant of each GS2 mechanism name. If
the server cannot support channel binding, it SHOULD advertise
only the non-PLUS-variant. If the server would never succeed in
the authentication of the non-PLUS-variant due to policy reasons,
it MUST advertise only the PLUS-variant.
o If the client supports channel binding and the server does not
appear to (i.e., the client did not see the -PLUS name advertised
by the server), then the client MUST NOT use an "n" gs2-cb-flag.
o Clients that support mechanism negotiation and channel binding
MUST use a "p" gs2-cb-flag when the server offers the PLUS-variant
of the desired GS2 mechanism.
o If the client does not support channel binding, then it MUST use
an "n" gs2-cb-flag. Conversely, if the client requires the use of
channel binding then it MUST use a "p" gs2-cb-flag. Clients that
do not support mechanism negotiation never use a "y" gs2-cb-flag,
they use either "p" or "n" according to whether they require and
support the use of channel binding or whether they do not,
respectively.
o The client generates the chan_bindings input parameter for
GSS_Init_sec_context as described below.
o Upon receipt of the initial authentication message, the server
checks the gs2-cb-flag in the GS2 header and constructs a
chan_bindings parameter for GSS_Accept_sec_context as described
below. If the client channel binding flag was "y" and the server
did advertise support for channel bindings (by advertising the
Josefsson & Williams Standards Track [Page 10]
^L
RFC 5801 SASL GS2-* July 2010
PLUS-variant of the mechanism chosen by the client), then the
server MUST fail authentication. If the client channel binding
flag was "p" and the server does not support the indicated channel
binding type, then the server MUST fail authentication.
o If the client used an "n" gs2-cb-flag and the server requires the
use of channel binding, then the server MUST fail authentication.
FLAG CLIENT CB SUPPORT SERVER CB SUPPORT DISPOSITION
---- ----------------- ----------------- -----------
n no support N/A If server disallows
non-channel-bound
authentication, then
fail
y Yes, not required No Authentication may
succeed; CB not used
y Yes, not required Yes Authentication must fail
p Yes Yes Authentication may
succeed, with CB used
p Yes No Authentication will fail
N/A Yes, required No Client does not even try
For more discussion of channel bindings, and the syntax of the
channel binding data for various security protocols, see [RFC5056].
5.1. Content of GSS-CHANNEL-BINDINGS Structure
The calls to GSS_Init_sec_context and GSS_Accept_sec_context take a
chan_bindings parameter. The value is a GSS-CHANNEL-BINDINGS
structure [RFC5554].
The initiator-address-type and acceptor-address-type fields of the
GSS-CHANNEL-BINDINGS structure MUST be set to 0. The initiator-
address and acceptor-address fields MUST be the empty string.
The application-data field MUST be set to the gs2-header, excluding
the initial [gs2-nonstd-flag ","] part, concatenated with, when a
gs2-cb-flag of "p" is used, the application's channel binding data.
Josefsson & Williams Standards Track [Page 11]
^L
RFC 5801 SASL GS2-* July 2010
5.2. Default Channel Binding
A default channel binding type agreement process for all SASL
application protocols that do not provide their own channel binding
type agreement is provided as follows.
'tls-unique' is the default channel binding type for any application
that doesn't specify one.
Servers MUST implement the "tls-unique" [RFC5929] channel binding
type, if they implement any channel binding. Clients SHOULD
implement the "tls-unique" channel binding type, if they implement
any channel binding. Clients and servers SHOULD choose the highest-
layer/innermost end-to-end TLS channel as the channel to which to
bind.
Servers MUST choose the channel binding type indicated by the client,
or fail authentication if they don't support it.
6. Examples
Example #1: a one round-trip GSS-API context token exchange, no
channel binding, optional authzid given.
C: Request authentication exchange
S: Empty Challenge
C: n,a=someuser,<initial context token with standard
header removed>
S: Send reply context token as is
C: Empty message
S: Outcome of authentication exchange
Example #2: a one and one half round-trip GSS-API context token
exchange, no channel binding.
C: Request authentication exchange
S: Empty Challenge
C: n,,<initial context token with standard
header removed>
S: Send reply context token as is
C: Send reply context token as is
S: Outcome of authentication exchange
Josefsson & Williams Standards Track [Page 12]
^L
RFC 5801 SASL GS2-* July 2010
Example #3: a two round-trip GSS-API context token exchange, no
channel binding, no standard token header.
C: Request authentication exchange
S: Empty Challenge
C: F,n,,<initial context token without
standard header>
S: Send reply context token as is
C: Send reply context token as is
S: Send reply context token as is
C: Empty message
S: Outcome of authentication exchange
Example #4: using channel binding, optional authzid given.
C: Request authentication exchange
S: Empty Challenge
C: p=tls-unique,a=someuser,<initial context token with standard
header removed>
S: Send reply context token as is
...
Example #5: using channel binding.
C: Request authentication exchange
S: Empty Challenge
C: p=tls-unique,,<initial context token with standard
header removed>
S: Send reply context token as is
...
Example #6: using non-standard channel binding (requires out-of-band
negotiation).
C: Request authentication exchange
S: Empty Challenge
C: p=tls-server-end-point,,<initial context token with standard
header removed>
S: Send reply context token as is
...
Josefsson & Williams Standards Track [Page 13]
^L
RFC 5801 SASL GS2-* July 2010
Example #7: client supports channel bindings but server does not,
optional authzid given.
C: Request authentication exchange
S: Empty Challenge
C: y,a=someuser,<initial
context token with standard header removed>
S: Send reply context token as is
...
GSS-API authentication is always initiated by the client. The SASL
framework allows either the client or the server to initiate
authentication. In GS2, the server will send an initial empty
challenge (zero-byte string) if it has not yet received a token from
the client. See Section 3 of [RFC4422].
7. Authentication Conditions
Authentication MUST NOT succeed if any one of the following
conditions are true:
o If GSS_Init/Accept_sec_context returns anything other than
GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE.
o If the client's initial GS2 header does not match the ABNF.
o In particular, if the initial character of the client message is
anything except "F", "p", "n", or "y".
o If the client's GS2 channel binding flag was "y" and the server
supports channel bindings.
o If the client's GS2 channel binding flag was "p" and the server
does not support the indicated channel binding.
o If the client requires use of channel binding and the server did
not advertise support for channel binding.
o If authorization of client principal (i.e., src_name in
GSS_Accept_sec_context) to requested authzid failed.
o If the client is not authorized to the requested authzid or an
authzid could not be derived from the client's initiator principal
name.
Josefsson & Williams Standards Track [Page 14]
^L
RFC 5801 SASL GS2-* July 2010
8. GSS-API Parameters
GS2 does not use any GSS-API per-message tokens. Therefore, the per-
message token ret_flags from GSS_Init_sec_context() and
GSS_Accept_sec_context() are irrelevant; implementations SHOULD NOT
set the per-message req_flags.
The mutual_req_flag MUST be set. Clients MUST check that the
corresponding ret_flag is set when the context is fully established,
else authentication MUST fail.
Use or non-use of deleg_req_flag and anon_req_flag is an
implementation-specific detail. SASL and GS2 implementors are
encouraged to provide programming interfaces by which clients may
choose to delegate credentials and by which servers may receive them.
SASL and GS2 implementors are encouraged to provide programming
interfaces that provide a good mapping of GSS-API naming options.
9. Naming
There is no requirement that any particular GSS-API name-types be
used. However, typically, SASL servers will have host-based acceptor
principal names (see [RFC2743], Section 4.1) and clients will
typically have username initiator principal names (see [RFC2743],
Section 4.2). When a host-based acceptor principal name is used
("service@hostname"), "service" is the service name specified in the
protocol's profile and "hostname" is the fully qualified host name of
the server.
10. GSS_Inquire_SASLname_for_mech Call
We specify a new GSS-API utility function to allow SASL
implementations to more efficiently identify the GSS-API mechanism to
which a particular SASL mechanism name refers.
Inputs:
o desired_mech OBJECT IDENTIFIER
Outputs:
o major_status INTEGER
o minor_status INTEGER
o sasl_mech_name UTF-8 STRING -- SASL name for this
mechanism; caller must release with
GSS_Release_buffer()
Josefsson & Williams Standards Track [Page 15]
^L
RFC 5801 SASL GS2-* July 2010
o mech_name UTF-8 STRING -- name of this mechanism, possibly
localized; caller must release with GSS_Release_buffer()
o mech_description UTF-8 STRING -- possibly localized
description of this mechanism; caller must release with
GSS_Release_buffer()
Return major_status codes:
o GSS_S_COMPLETE indicates successful completion, and that
output parameters holds correct information.
o GSS_S_BAD_MECH indicates that a desired_mech was unsupported
by the GSS-API implementation.
o GSS_S_FAILURE indicates that the operation failed for reasons
unspecified at the GSS-API level.
The GSS_Inquire_SASLname_for_mech call is used to get the SASL
mechanism name for a GSS-API mechanism. It also returns a name
and description of the mechanism in user-friendly form.
The output variable sasl_mech_name will hold the IANA registered
mechanism name for the GSS-API mechanism, or if none is
registered, a mechanism name computed from the OID as described
in Section 3.1 of this document.
10.1. gss_inquire_saslname_for_mech
The C binding for the GSS_Inquire_SASLname_for_mech call is as
follows.
As mentioned in [RFC2744], routines may return GSS_S_FAILURE,
indicating an implementation-specific or mechanism-specific error
condition, further details of which are reported via the minor_status
parameter.
Josefsson & Williams Standards Track [Page 16]
^L
RFC 5801 SASL GS2-* July 2010
OM_uint32 gss_inquire_saslname_for_mech(
OM_uint32 *minor_status,
const gss_OID desired_mech,
gss_buffer_t sasl_mech_name,
gss_buffer_t mech_name,
gss_buffer_t mech_description
);
Purpose:
Output the SASL mechanism name of a GSS-API mechanism.
It also returns a name and description of the mechanism in a
user-friendly form.
Parameters:
minor_status Integer, modify
Mechanism-specific status code.
desired_mech OID, read
Identifies the GSS-API mechanism to query.
sasl_mech_name buffer, character-string, modify, optional
Buffer to receive SASL mechanism name.
The application must free storage associated
with this name after use with a call to
gss_release_buffer().
mech_name buffer, character-string, modify, optional
Buffer to receive human-readable mechanism name.
The application must free storage associated
with this name after use with a call to
gss_release_buffer().
mech_description buffer, character-string, modify, optional
Buffer to receive description of mechanism.
The application must free storage associated
with this name after use with a call to
gss_release_buffer().
Function value: GSS status code:
GSS_S_COMPLETE Successful completion.
GSS_S_BAD_MECH The desired_mech OID is unsupported.
Josefsson & Williams Standards Track [Page 17]
^L
RFC 5801 SASL GS2-* July 2010
11. GSS_Inquire_mech_for_SASLname Call
To allow SASL clients to more efficiently identify to which GSS-API
mechanism a particular SASL mechanism name refers, we specify a new
GSS-API utility function for this purpose.
Inputs:
o sasl_mech_name UTF-8 STRING -- SASL name of mechanism.
Outputs:
o major_status INTEGER
o minor_status INTEGER
o mech_type OBJECT IDENTIFIER -- must be explicit mechanism,
and not "default" specifier. Caller should treat as read-only
and should not attempt to release.
Return major_status codes:
o GSS_S_COMPLETE indicates successful completion, and that output
parameters holds correct information.
o GSS_S_BAD_MECH indicates that no supported GSS-API mechanism
had the indicated sasl_mech_name.
o GSS_S_FAILURE indicates that the operation failed for reasons
unspecified at the GSS-API level.
The GSS_Inquire_mech_for_SASLname call is used to get the GSS-API
mechanism OID associated with a SASL mechanism name.
Josefsson & Williams Standards Track [Page 18]
^L
RFC 5801 SASL GS2-* July 2010
11.1. gss_inquire_mech_for_saslname
The C binding for the GSS_Inquire_mech_for_SASLname call is as
follows.
As mentioned in [RFC2744], routines may return GSS_S_FAILURE,
indicating an implementation-specific or mechanism-specific error
condition, further details of which are reported via the minor_status
parameter.
OM_uint32 gss_inquire_mech_for_saslname(
OM_uint32 *minor_status,
const gss_buffer_t sasl_mech_name,
gss_OID *mech_type
);
Purpose:
Output GSS-API mechanism OID of mechanism associated with given
sasl_mech_name.
Parameters:
minor_status Integer, modify
Mechanism-specific status code.
sasl_mech_name buffer, character-string, read
Buffer with SASL mechanism name.
mech_type OID, modify, optional
Actual mechanism used. The OID returned via
this parameter will be a pointer to static
storage that should be treated as read-only.
In particular, the application should not attempt
to free it. Specify NULL if not required.
Function value: GSS status code:
GSS_S_COMPLETE Successful completion.
GSS_S_BAD_MECH There is no GSS-API mechanism known
as sasl_mech_name.
Josefsson & Williams Standards Track [Page 19]
^L
RFC 5801 SASL GS2-* July 2010
12. Security Layers
GS2 does not support SASL security layers. Applications that need
integrity or confidentiality protection can use either channel
binding to a secure external channel or another SASL mechanism that
does provide security layers.
13. Interoperability with the SASL GSSAPI Mechanism
The Kerberos V5 GSS-API [RFC1964] mechanism is currently used in SASL
under the name GSSAPI, see [RFC4752]. The Kerberos V5 mechanism may
also be used with the GS2 family. This causes an interoperability
problem, which is discussed and resolved below.
13.1. The Interoperability Problem
The SASL "GSSAPI" mechanism is not wire compatible with the Kerberos
V GSS-API mechanism used as a SASL GS2 mechanism.
If a client (or server) only support Kerberos V5 under the "GSSAPI"
name, and the server (or client) only support Kerberos V5 under the
GS2 family, the mechanism negotiation will fail.
13.2. Resolving the Problem
If the Kerberos V5 mechanism is supported under GS2 in a server, the
server SHOULD also support Kerberos V5 through the "GSSAPI"
mechanism, to avoid interoperability problems with older clients.
Reasons for violating this recommendation may include security
considerations regarding the absent features in the GS2 mechanism.
The SASL "GSSAPI" mechanism lacks support for channel bindings, which
means that using an external secure channel may not be sufficient
protection against active attackers (see [RFC5056] and [MITM]).
13.3. Additional Recommendations
If the application requires SASL security layers, then it MUST use
the SASL "GSSAPI" mechanism [RFC4752] instead of "GS2-KRB5" or "GS2-
KRB5-PLUS".
If the application can use channel binding to an external channel,
then it is RECOMMENDED that it select Kerberos V5 through the GS2
mechanism rather than the "GSSAPI" mechanism.
Josefsson & Williams Standards Track [Page 20]
^L
RFC 5801 SASL GS2-* July 2010
14. GSS-API Mechanisms That Negotiate Other Mechanisms
A GSS-API mechanism that negotiates other mechanisms will interact
badly with the SASL mechanism negotiation. There are two problems.
The first is an interoperability problem and the second is a security
concern. The problems are described and resolved below.
14.1. The Interoperability Problem
If a client implements GSS-API mechanism X, potentially negotiated
through a GSS-API mechanism Y, and the server also implements GSS-API
mechanism X negotiated through a GSS-API mechanism Z, the
authentication negotiation will fail.
14.2. Security Problem
If a client's policy is to first prefer GSSAPI mechanism X, then non-
GSSAPI mechanism Y, then GSSAPI mechanism Z, and if a server supports
mechanisms Y and Z but not X, then if the client attempts to
negotiate mechanism X by using a GSS-API mechanism that negotiates
other mechanisms (such as Simple and Protected GSS-API Negotiation
(SPNEGO) [RFC4178]), it may end up using mechanism Z when it ideally
should have used mechanism Y. For this reason, the use of GSS-API
mechanisms that negotiate other mechanisms is disallowed under GS2.
14.3. Resolving the Problems
GSS-API mechanisms that negotiate other mechanisms MUST NOT be used
with the GS2 SASL mechanism. Specifically, SPNEGO [RFC4178] MUST NOT
be used as a GS2 mechanism. To make this easier for SASL
implementations, we assign a symbolic SASL mechanism name to the
SPNEGO GSS-API mechanism, "SPNEGO". SASL client implementations MUST
NOT choose the SPNEGO mechanism under any circumstances.
The GSS_C_MA_MECH_NEGO attribute of GSS_Inquire_attrs_for_mech
[RFC5587] can be used to identify such mechanisms.
Josefsson & Williams Standards Track [Page 21]
^L
RFC 5801 SASL GS2-* July 2010
15. IANA Considerations
The IANA has registered a SASL mechanism family as per [RFC4422]
using the following information.
Subject: Registration of SASL mechanism family GS2-*
SASL mechanism prefix: GS2-
Security considerations: RFC 5801
Published specification: RFC 5801
Person & email address to contact for further information:
Simon Josefsson <simon@josefsson.org>
Intended usage: COMMON
Owner/Change controller: iesg@ietf.org
Note: Compare with the GSSAPI and GSS-SPNEGO mechanisms.
The IANA is advised that SASL mechanism names starting with "GS2-"
are reserved for SASL mechanisms that conform to this document. The
IANA has placed a statement to that effect in the SASL Mechanisms
registry.
The IANA is further advised that GS2 SASL mechanism names MUST NOT
end in "-PLUS" except as a version of another mechanism name simply
suffixed with "-PLUS".
The SASL names for the Kerberos V5 GSS-API mechanism [RFC4121]
[RFC1964] used via GS2 SHALL be "GS2-KRB5" and "GS2-KRB5-PLUS".
The SASL names for the SPNEGO GSS-API mechanism used via GS2 SHALL be
"SPNEGO" and "SPNEGO-PLUS". As described in Section 14, the SASL
"SPNEGO" and "SPNEGO-PLUS" MUST NOT be used. These names are
provided as a convenience for SASL library implementors.
16. Security Considerations
Security issues are also discussed throughout this memo.
The security provided by a GS2 mechanism depends on the security of
the GSS-API mechanism. The GS2 mechanism family depends on channel
binding support, so GSS-API mechanisms that do not support channel
binding cannot be successfully used as SASL mechanisms via the GS2
bridge.
Because GS2 does not support security layers, it is strongly
RECOMMENDED that channel binding to a secure external channel be
used. Successful channel binding eliminates the possibility of man-
in-the-middle (MITM) attacks, provided that the external channel and
its channel binding data are secure and that the GSS-API mechanism
used is secure. Authentication failure because of channel binding
Josefsson & Williams Standards Track [Page 22]
^L
RFC 5801 SASL GS2-* July 2010
failure may indicate that an MITM attack was attempted, but note that
a real MITM attacker would likely attempt to close the connection to
the client or simulate network partition; thus, MITM attack detection
is heuristic.
Use of channel binding will also protect the SASL mechanism
negotiation -- if there is no MITM, then the external secure channel
will have protected the SASL mechanism negotiation.
The channel binding data MAY be sent (by the actual GSS-API mechanism
used) without confidentiality protection and knowledge of it is
assumed to provide no advantage to an MITM (who can, in any case,
compute the channel binding data independently). If the external
channel does not provide confidentiality protection and the GSS-API
mechanism does not provide confidentiality protection for the channel
binding data, then passive attackers (eavesdroppers) can recover the
channel binding data, see [RFC5056].
When constructing the input_name_string for GSS_Import_name with the
GSS_C_NT_HOSTBASED_SERVICE name type, the client SHOULD NOT
canonicalize the server's fully qualified domain name using an
insecure or untrusted directory service, such as the Domain Name
System [RFC1034] without DNS Security (DNSSEC) [RFC4033].
SHA-1 is used to derive SASL mechanism names, but no traditional
cryptographic properties are required -- the required property is
that the truncated output for distinct inputs are different for
practical input values. GS2 does not use any other cryptographic
algorithm. Therefore, GS2 is "algorithm agile", or, as agile as the
GSS-API mechanisms that are available for use in SASL applications
via GS2.
GS2 does not protect against downgrade attacks of channel binding
types. Negotiation of channel binding type was intentionally left
out of scope for this document.
The security considerations of SASL [RFC4422], the GSS-API [RFC2743],
channel binding [RFC5056], any external channels (such as TLS,
[RFC5246], channel binding types (see the IANA channel binding type
registry), and GSS-API mechanisms (such as the Kerberos V5 mechanism
[RFC4121] [RFC1964]), also apply.
Josefsson & Williams Standards Track [Page 23]
^L
RFC 5801 SASL GS2-* July 2010
17. Acknowledgements
The history of GS2 can be traced to the "GSSAPI" mechanism originally
specified by RFC 2222. This document was derived from [SASL-GSSAPI],
which was prepared by Alexey Melnikov with significant contributions
from John G. Myers, although the majority of this document has been
rewritten by the current authors.
Contributions of many members of the SASL mailing list are gratefully
acknowledged. In particular, ideas and feedback from Pasi Eronen,
Sam Hartman, Jeffrey Hutzelman, Alexey Melnikov, and Tom Yu improved
the document and the protocol. Other suggestions to the documents
were made by Spencer Dawkins, Ralph Droms, Adrian Farrel, Robert
Sparks, and Glen Zorn.
18. References
18.1. Normative References
[FIPS.180-1.1995]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
Josefsson & Williams Standards Track [Page 24]
^L
RFC 5801 SASL GS2-* July 2010
[RFC5554] Williams, N., "Clarifications and Extensions to the
Generic Security Service Application Program Interface
(GSS-API) for the Use of Channel Bindings", RFC 5554,
May 2009.
[CCITT.X690.2002]
International Telephone and Telegraph Consultative
Committee, "ASN.1 encoding rules: Specification of basic
encoding Rules (BER), Canonical encoding rules (CER) and
Distinguished encoding rules (DER)", CCITT Recommendation
X.690, July 2002.
[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", RFC 5929, July 2010.
18.2. Informative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June 1996.
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
(SPKM)", RFC 2025, October 1996.
[RFC2222] Myers, J., "Simple Authentication and Security Layer
(SASL)", RFC 2222, October 1997.
[RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121,
July 2005.
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism",
RFC 4178, October 2005.
Josefsson & Williams Standards Track [Page 25]
^L
RFC 5801 SASL GS2-* July 2010
[RFC4752] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple
Authentication and Security Layer (SASL) Mechanism",
RFC 4752, November 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5587] Williams, N., "Extended Generic Security Service Mechanism
Inquiry APIs", RFC 5587, July 2009.
[RFC5802] Menon-Sen, A., Melnikov, A., Newman, C., and N. Williams,
"Salted Challenge Response Authentication Mechanism
(SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010.
[MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
in Tunnelled Authentication", in 11th Security
Protocols Workshop, 2002.
[SASL-GSSAPI]
Melnikov, A., "The Kerberos V5 ("GSSAPI") SASL mechanism",
Work in Progress, March 2005.
Authors' Addresses
Simon Josefsson
SJD AB
Hagagatan 24
Stockholm 113 47
SE
EMail: simon@josefsson.org
URI: http://josefsson.org/
Nicolas Williams
Oracle
5300 Riata Trace Ct
Austin, TX 78727
USA
EMail: Nicolas.Williams@oracle.com
Josefsson & Williams Standards Track [Page 26]
^L
|