Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy, June 2010
- Canonical URL:
- File formats:
- PROPOSED STANDARD
- RFC 4120
- L. Hornquist Astrand
- NON WORKING GROUP
Discuss this RFC: Send questions or comments to firstname.lastname@example.org
Several Generic Security Service Application Program Interface (GSS-API) applications work in a multi-tiered architecture, where the server takes advantage of delegated user credentials to act on behalf of the user and contact additional servers. In effect, the server acts as an agent on behalf of the user. Examples include web applications that need to access e-mail or file servers, including CIFS (Common Internet File System) file servers. However, delegating the user credentials to a party who is not sufficiently trusted is problematic from a security standpoint. Kerberos provides a flag called OK-AS-DELEGATE that allows the administrator of a Kerberos realm to communicate that a particular service is trusted for delegation. This specification adds support for this flag and similar facilities in other authentication mechanisms to GSS-API (RFC 2743). [STANDARDS-TRACK]
For the definition of Status, see RFC 2026.
For the definition of Stream, see RFC 4844.