{"draft":"draft-lha-gssapi-delegate-policy-05","doc_id":"RFC5896","title":"Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy","authors":["L. Hornquist Astrand","S. Hartman"],"format":["ASCII","HTML"],"page_count":"6","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"IETF - NON WORKING GROUP","abstract":"Several Generic Security Service Application Program Interface\r\n(GSS-API) applications work in a multi-tiered architecture, where the\r\nserver takes advantage of delegated user credentials to act on behalf\r\nof the user and contact additional servers.  In effect, the server\r\nacts as an agent on behalf of the user.  Examples include web\r\napplications that need to access e-mail or file servers, including\r\nCIFS (Common Internet File System) file servers.  However, delegating\r\nthe user credentials to a party who is not sufficiently trusted is\r\nproblematic from a security standpoint.  Kerberos provides a flag\r\ncalled OK-AS-DELEGATE that allows the administrator of a Kerberos\r\nrealm to communicate that a particular service is trusted for\r\ndelegation.  This specification adds support for this flag and\r\nsimilar facilities in other authentication mechanisms to GSS-API (RFC\r\n2743).  [STANDARDS-TRACK]","pub_date":"June 2010","keywords":["[--------]"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC2743","RFC2744","RFC4120","RFC4121"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC5896","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc5896"}