OSF DCE Application Development Guide--Core Components

OSF DCE Application Development Guide—Core Components

25.3 Delegating Credentials

In delegation, an initiator forwards its identity to an acceptor so that the acceptor can use

the identity to act as an agent for the initiator. There are two forms of delegation:

— Impersonation delegation

— Traced delegation

25.3.1 Initiating a Security Context to Delegate Credentials

An application indicates that it wants to delegate credentials when it calls the

gss_init_sec_context() routine and sets the GSS_C_DELEG_FLAG ﬂag to TRUE.

Notes added to the initiator’s login context can indicate the type of delegation used and

any restrictions in effect (for traced delegation only). If no delegation notes are included

with the login context and the GSS_C_DELEG_FLAG ﬂag is set, impersonation

delegation is used.

25.3.2 Accepting a Security Context with Delegated Credentials

If the GSS_C_DELEG_FLAG ﬂag has been set when the security context was intiated,

the gss_accept_sec_context() routine will pass a credential to the acceptor. The routine

does the following:

1. Uses information from the input token to create the appropriate delegated

credential

2. Creates an impersonation or traced delegation credential with an INITIATE

credential type

3. Passes the delegated INITIATE credential to the acceptor

The principal named in the delegated INITIATE credential is the name of the initiator

(for impersonation delegation) or the acceptor acting for the initiator (for traced

delegation). The acceptor uses the credential to act for the initiator, initiating security

contexts as appropriate.

25−4 Tandem Computers Incorporated 124245