A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : SPNEGO Extended Negotiation (NEGOEX) Security Mechanism
Author(s) : M. Short, et al.
Filename : draft-zhu-negoex-04.txt
Pages : 24
Date : 2011-01-03
This document defines the SPNEGO Extended Negotiation (NEGOEX)
Security Mechanism. NEGOEX enhances the capabilities of SPNEGO by
providing a security mechanism which can be negotiated by the SPNEGO
protocol as defined in RFC4178.
The NEGOEX protocol itself is a security mechanism negotiated by
SPNEGO. When the NEGOEX security mechanism is selected by SPNEGO,
NEGOEX provides a method allowing selection of a common
authentication protocol based on factors beyond just the fact that
both client and server support a given security mechanism. NEGOEX
OPTIONALLY adds a pair of meta-data messages for each negotiated
security mechanism. The meta-data exchange allows security
mechanisms to exchange auxiliary information such as trust
configurations, thus NEGOEX provides more flexibility than just
exchanging security mechanism OIDs in SPNEGO.
NEGOEX preserves the optimistic token semantics of SPNEGO and applies
that recursively. Consequently a context establishment mechanism
token can be included in the initial NEGOEX message, and NEGOEX does
not require an extra round-trip when the initiator's optimistic token
is accepted by the target.
Similar to SPNEGO, NEGOEX defines a few new GSS-API extensions that a
security mechanism MUST support in order to be negotiated by NEGOEX.
This document defines these GSS-API extensions.
Unlike SPNEGO however, NEGOEX defines its own way for signing the
protocol messages in order to protect the protocol negotiation. The
NEGOEX message signing or verification can occur before the security
context for the negotiated real security mechanism is fully
established.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-zhu-negoex-04.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
- <ftp://ftp.ietf.org/internet-drafts/draft-zhu-negoex-04.txt>
-
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
