Network Working Group J. Linn
Request for Comments: 1511 Geer Zolot Associates
September 1993
Common Authentication Technology Overview
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard. Distribution of this memo is
unlimited.
Overview
The IETF's Common Authentication Technology (CAT) working group has
pursued, and continues to pursue, several interrelated activities,
involving definition of service interfaces as well as protocols. As
a goal, it has sought to separate security implementation tasks from
integration of security data elements into caller protocols, enabling
those tasks to be partitioned and performed separately by
implementors with different areas of expertise. This strategy is
intended to provide leverage for the IETF community's security-
oriented resources (by allowing a single security implementation to
be integrated with, and used by, multiple caller protocols), and to
allow protocol implementors to focus on the functions that their
protocols are designed to provide rather than on characteristics of
particular security mechanisms (by defining an abstract service which
multiple mechanisms can realize).
The CAT WG has worked towards agreement on a common service
interface, (the Generic Security Service Application Program
Interface, or GSS-API), allowing callers to invoke security
functions, and also towards agreement on a common security token
format incorporating means to identify the mechanism type in
conjunction with which security data elements should be interpreted.
The GSS-API, comprising a mechanism-independent model for security
integration, provides authentication services (peer entity
authentication) to a variety of protocol callers in a manner which
insulates those callers from the specifics of underlying security
mechanisms. With certain underlying mechanisms, per-message
protection facilities (data origin authentication, data integrity,
and data confidentiality) can also be provided. This work is
represented in a pair of RFCs: RFC-1508 (GSS-API) and RFC-1509
(concrete bindings realizing the GSS-API for the C language).
Concurrently, the CAT WG has worked on agreements on underlying
security technologies, and their associated protocols, implementing
the GSS-API model. Definitions of two candidate mechanisms are
currently available as Internet specifications; development of
additional mechanisms is anticipated. RFC-1510, a standards-track
specification, documents the Kerberos Version 5 technology, based on
secret-key cryptography and contributed by the Massachusetts
Institute of Technology. RFC-1507, an experimental specification,
documents the Distributed Authentication Services technology, based
on X.509 public-key technology and contributed by Digital Equipment
Corporation.
References
[1] Kaufman, C., "Distributed Authentication Security Service", RFC
1507, Digital Equipment Corporation, September 1993.
[2] Linn, J., "Generic Security Service Application Program
Interface", RFC 1508, Geer Zolot Associates, September 1993.
[3] Wray, J., "Generic Security Service API : C-bindings", RFC 1509,
Digital Equipment Corporation, September 1993.
[4] Kohl, J., and C. Neuman, "The Kerberos Network Authentication
Service (V5)", Digital Equipment Corporation, USC/Information
Sciences Institute, September 1993.
Security Considerations
Security issues are discussed throughout the references.
Author's Address
John Linn
Geer Zolot Associates
One Main St.
Cambridge, MA 02142 USA
Phone: +1 617.374.3700
Email: Linn@gza.com