JSR 72: Java^TM GSS API

Name of Contact Person: Mayank Upadhyay

E-Mail Address: mayank.upadhyay@sun.com

Telephone Number: +1 408 517 5956

Fax Number: +1 408 863 3155

Specification Lead: Mayank Upadhyay

E-Mail Address: mayank.upadhyay@sun.com

Telephone Number: +1 408 517 5956

Fax Number: +1 408 863 3155

Initial Expert Group Membership:

Section 2: Request

2.1 Please describe the proposed Specification:

This proposal is to define a Generic Security Services API (GSS-API) in Java. The GSS-API provides a layer of abstraction over security mechanisms that perform authentication, message integrity protection, and message privacy protection.

The GSS-API is defined by the Internet Engineering Task Force (IETF) in a language independent format in RFC 2743. The IETF has also defined a Java language binding for it in RFC 2853.

This proposal is to incorporate the high level mechanism independent Java API defined in RFC 2853, as is.

The reference implementation and the compatibility tests will be made available as part of the J2SE Merlin release.

2.2 What is the target Java platform? (i.e., desktop, server, personal, embedded, card, etc.)

Desktop, server.

2.3 What need of the Java community will be addressed by the proposed specification?

• Provides a Java API to OS security services such as Kerberos



• Provides for delegation of credentials that can be utilized for single sign-on into a network via a gateway



• Provides independence between those building and supplying security mechanisms and applications that use them

In addition to being a generic API for accessing security services, the GSS-API includes a some amount of protocol in that it uses well defined token formats for the transfer of data. Many protocol libraries such as LDAP v3 and IMAP that use SASL need the GSS-API format for interoperability with servers that use this technology.

2.4 Why isn't this need met by existing specifications?

There is no existing specification for accessing security mechanisms via GSS-API and creating GSS tokens.

2.5 Please give a short description of the underlying technology or technologies:

The GSS-API is a generic API that allows applications to call upon a range of security mechanisms for services like authentication, integrity, and privacy. Furthermore, the GSS-API separates the communication protocol from the security services. It returns tokens to the application that must be passed to the peer in some application level protocol. At the other end, the peer passes the incoming tokens to its GSS-API layer for processing.

There are various mechanisms that are designed to be used underneath GSS-API. Among them are the Kerberos v5 GSS-API Mechanism (RFC 1964), the Simple Public-Key GSS-API Mechanism (RFC 2025), LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM (RFC 2847), and the Simple and Protected GSS-API Negotiation Mechanism (RFC 2478).

A GSS-API implementation may support any set of mechanisms that it chooses. There are API's to query what mechanisms are available.

2.6 Is there a proposed package name for the API Specification? (i.e., javapi.something, org.something, etc.)

org.ietf.jgss

2.7 Does the proposed specification have any dependencies on specific operating systems, CPUs, or I/O devices that you know of?

No.

2.8 Are there any security issues that cannot be addressed by the current security model?

No.

2.9 Are there any internationalization or localization issues?

No.

2.10 Are there any existing specifications that might be rendered obsolete, deprecated, or in need of revision as a result of this work?

No.

2.11 Please describe the anticipated schedule for the development of this specification.

We will include a preliminary implementation of this API in Merlin Beta for prototyping purposes.

Section 3: Contributions

3.1 Please list any existing documents, specifications, or implementations that describe the technology. Please include links to the documents if they are publicly available.

• RFC 2743: Generic Security Service Application Program Interface Version 2, Update 1

  http://www.ietf.org/rfc/rfc2743.txt




• RFC 2853: Generic Security Service API Version 2 : Java bindings

  http://www.ietf.org/rfc/rfc2853.txt

3.2 Explanation of how these items might be used as a starting point for the work.

RFC 2743 explains the basic principles of the GSS-API. RFC 2853 specifies a detailed Java API and incorporates the Java security provider architecture. We will incorporate into the J2SE platform the classes and interfaces described in that document.