Independent Data Unit Protection Generic Security Service Application Program Interface (IDUP-GSS-API)

摘要

The IDUP-GSS-API extends the GSS-API [RFC-2078] for applicationsrequiring protection of a generic data unit (such as a file ormessage) in a way which is independent of the protection of any otherdata unit and independent of any concurrent contact with designated'receivers' of the data unit. Thus, it is suitable for applicationssuch as secure electronic mail where data needs to be protectedwithout any on-line connection with the intended recipient(s) of thatdata. The protection offered by IDUP includes services such as dataorigin authentication with data integrity, data confidentiality withdata integrity, and support for non-repudiation services. Subsequentto being protected, the data unit can be transferred to therecipient(s) - or to an archive - perhaps to be processed('unprotected') only days or years later.Throughout the remainder of this document, the 'unit' of datadescribed in the above paragraph will be referred to as an IDU(Independent Data Unit). The IDU can be of any size (the applicationmay, if it wishes, split the IDU into pieces and have the protectioncomputed a piece at a time, but the resulting protection tokenapplies to the entire IDU). However, the primary characteristic ofan IDU is that it represents a stand-alone unit of data whoseprotection is entirely independent of any other unit of data. If anapplication protects several IDUs and sends them all to a singlereceiver, the IDUs may be unprotected by that receiver in any orderover any time span; no logical connection of any kind is implied bythe protection process itself.As with RFC-2078, this IDUP-GSS-API definition provides securityservices to callers in a generic fashion, supportable with a range ofunderlying mechanisms and technologies and hence allowing sourcelevelportability of applications to different environments. Thisspecification defines IDUP-GSS-API services and primitives at a levelindependent of underlying mechanism and programming languageenvironment, and is to be complemented by other, relatedspecifications:1. documents defining specific parameter bindings for particularlanguage environments;2. documents defining token formats, protocols, and procedures tobe implemented in order to realize IDUP-GSS-API services atop