I just posted a new version of rfc5653bis. The major changes in this I-D (compared to RFC 5653) are:
1. public byte[] GSSException#getOutputToken(). If initSecContext or acceptSecContext fail, the exception could contain a token that can be sent to the peer. For kerberos 5, this is normally a KRB-ERROR message. 2. All stream-based GSSContext methods are removed. Reason: "The wire protocol should be defined by an application and not a library. It's also impossible to implement these methods correctly when the token has no self-framing (where the end cannot be determined) or the library has no knowledge of the token format (for example, as a bridge talking to another GSS library)". The #1 above was already in draft-ietf-kitten-rfc5653bis-02, #2 is new in -03. Thanks Max > Begin forwarded message: > > A new version of I-D, draft-ietf-kitten-rfc5653bis-03.txt > has been successfully submitted by Wang Weijun and posted to the > IETF repository. > > Name: draft-ietf-kitten-rfc5653bis > Revision: 03 > Title: Generic Security Service API Version 2: Java Bindings > Update > Document date: 2016-04-05 > Group: kitten > Pages: 96 > URL: > https://www.ietf.org/internet-drafts/draft-ietf-kitten-rfc5653bis-03.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc5653bis/ > Htmlized: https://tools.ietf.org/html/draft-ietf-kitten-rfc5653bis-03 > Diff: > https://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-rfc5653bis-03 > > Abstract: > The Generic Security Services Application Program Interface (GSS-API) > offers application programmers uniform access to security services > atop a variety of underlying cryptographic mechanisms. This document > updates the Java bindings for the GSS-API that are specified in > "Generic Security Service API Version 2 : Java Bindings Update" (RFC > 5653). This document obsoletes RFC 5653 by adding a new output token > field to the GSSException class so that when the initSecContext or > acceptSecContext methods of the GSSContext class fails it has a > chance to emit an error token which can be sent to the peer for > debugging or informational purpose. The stream-based GSSContext > methods are also removed in this version. > > The GSS-API is described at a language-independent conceptual level > in "Generic Security Service Application Program Interface Version 2, > Update 1" (RFC 2743). The GSS-API allows a caller application to > authenticate a principal identity, to delegate rights to a peer, and > to apply security services such as confidentiality and integrity on a > per-message basis. Examples of security mechanisms defined for GSS- > API are "The Simple Public-Key GSS-API Mechanism" (RFC 2025) and "The > Kerberos Version 5 Generic Security Service Application Program > Interface (GSS-API) Mechanism: Version 2" (RFC 4121). > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat >
