Previous | Table of Contents | Next |
An identity token is used in an EstablishContext message to carry a “spoken for? or asserted identity. The following table
lists the five identity token types and defines the type of identity value that may be carried by each of the token types.
In addition to the identity token types described in the following table, the IdentityTokenType
as defined in Section 24.9.2, “Module CSI - Common Secure
Interoperability,? on page 24-59 provides for the definition of additional CSIv2 identity
token types through the default selector of the IdentityToken union type. Additional standard identity token types shall only
be defined by the OMG. All IdentityTokenType constants shall be a power of 2.
Table 24-2 Identity Token Types
IdentityTokenType (Union Discriminator) | Meaning | ||||
ITTAbsent | Identity token is absent; the message conveys no representation of identity assertion | ||||
ITTAnonymous | Identity token is being used to assert a valueless representation of an unauthenticated caller | ||||
ITTPrincipalName | Identity token contains an encapsulation octet stream containing a GSS mechanism-independent exported name object as defined in [IETF RFC 2743] | ||||
ITTDistinguishedName | Identity token contains an encapsulation octet stream containing an ASN.1 encoding of an X.501 distinguished name | ||||
ITTX509CertChain | Identity token contains an encapsulation octet stream containing an ASN.1 encoding of a chain of X.509 identity certificates |
Identity tokens of type ITTX509CertChain contain an ASN.1 encoding of a sequence of 1 or more X.509 certificates. The asserted
identity may be extracted as a distinguished name from the subject field of the first certificate. Subsequent certificates
shall directly certify the certificate they follow. The ASN.1 encoding of identity tokens of this type is defined as follows:
CertificateChain ::= SEQUENCE SIZE (1..MAX) OF Certificate
Interpretation of identity tokens that carry a GSS mechanism-independent exported name object (that is, an identity token
type of ITTPrincipalName) is dependent on support for GSS mechanism-specific name manipulation functionality.
When a TSS rejects a request because it carries an identity token constructed using an identity type or naming mechanism that
is not supported by the target, the TSS shall return a ContextError service context element containing major and minor status
codes indicating the mechanism was invalid.
Asserting entities may choose to overcome limitations in a target’s supported mechanisms by mapping GSS mechanism-specific
identities to distinguished names or certificates. The specifics of such mapping mechanisms are outside the scope of this
specification.
GSS Exported Name Object Form for GSSUP Mechanism
The mechanism OID within the exported name object shall be that of the GSSUP mechanism.
{ iso-itu-t (2) international-organization (23) omg (130) security (1) authentication (1) gssup-mechanism (1) }
The name component within the exported name object shall be a contiguous string conforming to the syntax of the scoped-username
GSS name form. The encoding of
GSS mechanism-independent exported name objects is defined in [IETF RFC 2743].
Scoped-Username GSS Name Form
The scoped-username GSS name form is defined as follows, where name_value and name_scope contain a sequence of 1 or more UTF8
encoded characters.
scoped-username ::= name_value | name_value@name_scope | @name_scope
The '@' character shall be used to delimit name_value from name_scope. All non-delimiter instances of '@' and all non-quoting
instances of '\' shall be quoted with an immediately-preceding '\'. Except for these cases, the quoting character, '\', shall
not be emitted within a scoped-username.
The Object Identifier corresponding to the GSS scoped-username name form is:
{ iso-itu-t (2) international-organization (23) omg (130) security (1) naming (2) scoped-username(1) }