database logo graphic

RFC 5896

"Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy", June 2010

Canonical URL:
http://www.rfc-editor.org/rfc/rfc5896.txt
This document is also available in this non-normative format: PDF.
Status:
PROPOSED STANDARD
Updates:
RFC 4120
Authors:
L. Hornquist Astrand
S. Hartman
Stream:
IETF
Source:
NON WORKING GROUP

Cite this RFC: TXT  |  XML

Other actions: Find Errata (if any)  |  Submit Errata  |  Find IPR Disclosures from the IETF


Abstract

Several Generic Security Service Application Program Interface (GSS-API) applications work in a multi-tiered architecture, where the server takes advantage of delegated user credentials to act on behalf of the user and contact additional servers. In effect, the server acts as an agent on behalf of the user. Examples include web applications that need to access e-mail or file servers, including CIFS (Common Internet File System) file servers. However, delegating the user credentials to a party who is not sufficiently trusted is problematic from a security standpoint. Kerberos provides a flag called OK-AS-DELEGATE that allows the administrator of a Kerberos realm to communicate that a particular service is trusted for delegation. This specification adds support for this flag and similar facilities in other authentication mechanisms to GSS-API (RFC 2743). [STANDARDS-TRACK]


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.


Go to the RFC Editor Homepage.