Overview#The Simple Public-Key GSS-API Mechanism (SPKM) Although the The Kerberos Version 5 GSS-API Mechanism KRB5 is becoming well-established in many environments, it is important in some applications to have a Generic Security Service Application Program Interface(GSSAPI) mechanism which is based on a Public Key, rather than a Symmetric Key, infrastructure.
The Simple Public-Key GSS-API Mechanism has been proposed to meet this need and to provide the following features:
- The Simple Public-Key GSS-API Mechanism allows both unilateral and mutual authentication to be accomplished without the use of secure timestamps. This enables environments which do not have access to secure time to nevertheless have access to secure authentication.
- The Simple Public-Key GSS-API Mechanism uses Algorithm Identifiers to specify various algorithms to be used by the communicating peers. This allows maximum flexibility for a variety of environments, for future enhancements, and for alternative algorithms.
- The Simple Public-Key GSS-API Mechanism allows the option of a true, asymmetric algorithm-based, Digital Signature in the gss_sign() and gss_seal() operations (now called gss_getMIC() and gss_wrap() in RFC 4121), rather than an integrity checksum based on a MAC computed with a symmetric algorithm (e.g., DES). For some environments, the availability of true Digital Signatures supporting Non-Repudiation is a necessity.
- The Simple Public-Key GSS-API Mechanism data formats and procedures are designed to be as similar to those of the Kerberos mechanism as is practical. This is done for ease of implementation in those environments where Kerberos has already been implemented.