|
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spen-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner. SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as ''Integrated Windows Authentication''. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. The HTTP Negotiate extension was later implemented with similar support in: * Mozilla 1.7 beta〔(Mozilla bug 17578: I want Kerberos authentication and TGT forwarding )〕 * Mozilla Firefox 0.9 * Konqueror 3.3.1〔(【引用サイトリンク】 title=Konqueror has SPNEGO support )〕 * Google Chrome 6.0.472〔(【引用サイトリンク】 title=Support for SPNEGO authentication )〕 == History == # 19 February 1996 – Eric Baize and Denis Pinkas publish the Internet Draft ''Simple GSS-API Negotiation Mechanism'' (draft-ietf-cat-snego-01.txt). # 17 October 1996 – The mechanism is assigned the object identifier ''1.3.6.1.5.5.2'' and is abbreviated snego. # 25 March 1997 – Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip. # 22 April 1997 – The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego). # 16 May 1997 – Context flags are added (delegation, mutual auth, etc.). Defenses are provided against attacks on the new "preferred" mechanism. # 22 July 1997 – More context flags are added (integrity and confidentiality). # 18 November 1998 – The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list. # 4 March 1998 – An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional. * Final December 1998 – DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478. * October 2005 – Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「SPNEGO」の詳細全文を読む スポンサード リンク
|