Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is aGSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
19 February 1996 – Eric Baize and Denis Pinkas publish theInternet DraftSimple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
17 October 1996 – The mechanism is assigned theobject identifier1.3.6.1.5.5.2 and is abbreviatedsnego.
25 March 1997 – Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
22 April 1997 – The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
16 May 1997 – Context flags are added (delegation, mutualauth, etc.). Defenses are provided against attacks on the new "preferred" mechanism.
18 November 1998 – The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
4 March 1998 – An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
December 1998 (Final) –DER encoding is chosen to disambiguate how theMIC is calculated. The draft is submitted for standardisation as RFC 2478.
October 2005 – Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.
