This document describes how to use a Generic Security Service
Application Program Interface (GSS-API) mechanism in the the Simple
Authentication and Security Layer (SASL) framework. This is done by
defining a new SASL mechanism family, called GS2. This mechanism
family offers a number of improvements over the previous "SASL/
GSSAPI" mechanism: it is more general, uses fewer messages for the
authentication phase in some cases, and supports negotiable use of
channel binding. Only GSS-API mechanisms that support channel
binding are supported.
Working Group Summary
The document went through several redesign phases, which resulted
in drastic change in on the wire representation. However it
represents strong WG consensus.
There were significant and long discussions over channel binding
type negotiation. After long considerations, it was decided to
leave channel binding type negotiation external to GS2 and to
provide a default of tls-unique. This simplify the design and makes
it easy to implement in popular configurations (i.e., together with
TLS). I believe that today this has strong support in the WG.
There was also a recent discussion about IANA registration
procedure for SASL mechanisms starting with GS2- prefix. The
discussion resulted in consensus that the document is correct as
At least a couple (both clients and server) implementations of the
document are planned.
Alexey Melnikov is the document shepherd for this document,
and Pasi Eronen is the responsible area director.