This form contains a series of questions that need to be answered. As you go about answering the questions, please keep the following things in mind:While it is not required that each question be answered at this time, all questions must have answers before the response is submitted to The Open Group for review and publication.Press the "Save" button at any time to save work in progress. Once the work has been saved, there is the option to continue editing if required.Many questions have instructions to assist in development of answers. They are marked with the indicator. Please look at the instructions carefully.Although HTML markup can be included in answers, this is not recommended apart from basic tags such as <p> and <br>, since incorrect markup could effect the format of other items in the document.Questions on this system should be addressed to the Conformance Statement manager at The Open Group.
Enter the name of the Organization that produced the implementation and the name of the author of the Conformance Statement.
A product may be registered in all members of a binary-compatible family of products on the basis of a single test report.
Answer the questions for each binary-compatible family. Alternately, provide the answers in the Appendix at the end of this document.
Question 1: What security mechanisms are supported?
Response
For each supported mechanism, enter the mechanism's name, object identifier (oid) and a reference to a published mechanism. In the description box, enter a short description of the mechanism and answer the following questions: State which features (of delegation, mutual authentication, replay detection, out-of-sequence message detection, message integrity, confidentiality) are supported. State whether additional token exchanges may be performed in the course of context establishment (using gss_s_continue_needed). Describe all the qualities of protection that the mechanism supports and give the numerical values that identify them in C language binding function arguments. State what the default quality of protection is. Describe all the name formats that can be used in conjunction with the mechanism, in particular giving the oids associated with them and the character sets and encodings that they use. List and describe all the minor status codes associated with the mechanism, giving the numerical values returned by the functions in the C language binding. Define all concrete data element formats. in particular, the formats of all tokens that can be exchanged between peer applications must be specified in detail. Describe any constraints on channel binding formats, including any constraints on addresses and address types that may appear in them. State whether expiration of credentials is supported and, if so, give the default expiration time.
For each supported mechanism, enter the mechanism's name, object identifier (oid) and a reference to a published mechanism. In the description box, enter a short description of the mechanism and answer the following questions:
Rationale
A conformant implementation must provide reference to the published specifications that give a complete description of the security mechanism or mechanisms concerned. The referenced material must address the following areas of rationale:
Reference
See the following sections of the X/Open CAE Specification, Generic Service API (GSS-API) Base:
Question 2: What is the default mechanism?
For desired_mechs, the empty set requests a system-selected default.
GSS_C_NULL_OID_SET may be used to obtain an implementation-specific default mechanism.
X/Open CAE Specification, Generic Service API (GSS-API) Base, Section 2.7.4, Mechanism Types, Section 3.1, Credential-management Calls and Chapter 8, C-language Reference Manual Pages, gss_acquire_cred().
Question 3: Does the implementation provide Confidentiality Services?
Yes No
GSS-API implementations may optionally include Confidentiality Services, which allow a context initiator to confidentiality-protect its data sent to a context acceptor.
X/Open Component Definition, Secure Communication Services. See also X/Open CAE Specification, Generic Service API (GSS-API) Base, Section 2.3, GSS-API (Base) - Conformance.
Question 4: Does the implementation include Delegation Services?
GSS-API implementations may optionally provide Delegation Services, which allow a context initiator to delegate its credentials to a context acceptor.
Question 5: Does the implementation support multiple name spaces?
An implementation may support names drawn from multiple name spaces.
X/Open CAE Specification, Generic Service API (GSS-API) Base, Section 2.7.5, Naming and Section 7.10, Names.
Question 6: If the answer to Question 5 is yes, and the name spaces are in-built rather than user definable, what are their identification details?
For each supported name space, enter its name, object identifier (oid), character set is uses (e.g. BASIC LATIN), character set encoding (e.g. ASCII) and a brief description.
The syntax of a printable name, as defined by the implementation, may be dependent on the local system configuration or on individual user preference. Where multiple name spaces are supported, the internal form of the name must include fields that identify the name space from which the name is drawn. The name from which a printable name is drawn is specified by an accompanying object identifier.
Question 7: What access-control policy is applied by gss_acquire_cred()?
GSS-API implementations shall impose a local access-control policy on callers of this function.
X/Open CAE Specification, Generic Service API (GSS-API) Base, Section 2.7.1, Credentials and Chapter 8, C-language Reference Manual Page, gss_acquire_cred().
Question 8: Does the implementation allow the gss_process_context_token() function to be used for deleting security context?
There are two methods of deleting security context, the second of which is optional:
X/Open CAE Specification, Generic Service API (GSS-API) Base, Chapter 8, C-language Reference Manual Pages, gss_process_context_token() and gss_delete_sec_context().
Question 9: If the answer to Question 8 is yes, in what ways does the effect of using one method vary as compared with the other? For example, is one method less secure than the other?
Please enter the differences starting on the next blank line below. If there is no difference in effect between the two methods of deleting security context, then simply enter the following text: The effect is the same, whichever of the two methods is used to delete security context.
See Question 8 above.
Copyright © All rights reserved.