SPNEGO Extended Negotiation (NEGOEX) Security Mechanism
draft-zhu-negoex-04
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Authors | Michiko Short , Larry Zhu , Kevin Damour , Dave McPherson | ||
Last updated | 2011-01-03 | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This document defines the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. NEGOEX enhances the capabilities of SPNEGO by providing a security mechanism which can be negotiated by the SPNEGO protocol as defined in RFC4178. The NEGOEX protocol itself is a security mechanism negotiated by SPNEGO. When the NEGOEX security mechanism is selected by SPNEGO, NEGOEX provides a method allowing selection of a common authentication protocol based on factors beyond just the fact that both client and server support a given security mechanism. NEGOEX OPTIONALLY adds a pair of meta-data messages for each negotiated security mechanism. The meta-data exchange allows security mechanisms to exchange auxiliary information such as trust configurations, thus NEGOEX provides more flexibility than just exchanging security mechanism OIDs in SPNEGO. NEGOEX preserves the optimistic token semantics of SPNEGO and applies that recursively. Consequently a context establishment mechanism token can be included in the initial NEGOEX message, and NEGOEX does not require an extra round-trip when the initiator's optimistic token is accepted by the target. Similar to SPNEGO, NEGOEX defines a few new GSS-API extensions that a security mechanism MUST support in order to be negotiated by NEGOEX. This document defines these GSS-API extensions. Unlike SPNEGO however, NEGOEX defines its own way for signing the protocol messages in order to protect the protocol negotiation. The NEGOEX message signing or verification can occur before the security context for the negotiated real security mechanism is fully established.
Authors
Michiko Short
Larry Zhu
Kevin Damour
Dave McPherson
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)