[rfc-dist] RFC 5896 on Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy

rfc-editor at rfc-editor.org rfc-editor at rfc-editor.org
Mon Jun 28 12:54:01 PDT 2010

A new Request for Comments is now available in online RFC libraries.

        RFC 5896

        Title:      Generic Security Service Application Program 
                    Interface (GSS-API): Delegate if Approved by 
        Author:     L. Hornquist Astrand, S. Hartman
        Status:     Standards Track
        Stream:     IETF
        Date:       June 2010
        Mailbox:    lha at apple.com, 
                    hartmans-ietf at mit.edu
        Pages:      6
        Characters: 12846
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-lha-gssapi-delegate-policy-05.txt

        URL:        http://www.rfc-editor.org/rfc/rfc5896.txt

Several Generic Security Service Application Program Interface
(GSS-API) applications work in a multi-tiered architecture, where the
server takes advantage of delegated user credentials to act on behalf
of the user and contact additional servers.  In effect, the server
acts as an agent on behalf of the user.  Examples include web
applications that need to access e-mail or file servers, including
CIFS (Common Internet File System) file servers.  However, delegating
the user credentials to a party who is not sufficiently trusted is
problematic from a security standpoint.  Kerberos provides a flag
called OK-AS-DELEGATE that allows the administrator of a Kerberos
realm to communicate that a particular service is trusted for
delegation.  This specification adds support for this flag and
similar facilities in other authentication mechanisms to GSS-API (RFC

This is now a Proposed Standard Protocol.

STANDARDS TRACK: This document specifies an Internet standards track
protocol for the Internet community,and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Internet
Official Protocol Standards (STD 1) for the standardization state and
status of this protocol.  Distribution of this memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see

For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html.
For downloading RFCs, see http://www.rfc-editor.org/rfc.html.

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor at rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.

The RFC Editor Team
Association Management Solutions, LLC

More information about the rfc-dist mailing list