Search RFCs

RFC Editor

File formats:

Status:

PROPOSED STANDARD

Updates:

RFC 2743,RFC 2744,RFC 4120,RFC 4121

Authors:

L. Hornquist Astrand
S. Hartman

Stream:

IETF

Source:

NON WORKING GROUP

Cite this RFC:TXT  | XML  |  BibTeX

DOI:  https://doi.org/10.17487/RFC5896

Discuss this RFC: Send questions or comments to the mailing listiesg@ietf.org

Other actions:View Errata  | Submit Errata  | Find IPR Disclosures from the IETF  | View History of RFC 5896

Abstract

Several Generic Security Service Application Program Interface(GSS-API) applications work in a multi-tiered architecture, where theserver takes advantage of delegated user credentials to act on behalfof the user and contact additional servers. In effect, the serveracts as an agent on behalf of the user. Examples include webapplications that need to access e-mail or file servers, includingCIFS (Common Internet File System) file servers. However, delegatingthe user credentials to a party who is not sufficiently trusted isproblematic from a security standpoint. Kerberos provides a flagcalled OK-AS-DELEGATE that allows the administrator of a Kerberosrealm to communicate that a particular service is trusted fordelegation. This specification adds support for this flag andsimilar facilities in other authentication mechanisms to GSS-API (RFC2743). [STANDARDS-TRACK]

For the definition ofStatus,seeRFC 2026.

For the definition ofStream, seeRFC 8729.