Previous | Table of Contents | Next |
A client should evaluate the compound security mechanism definitions contained within the CompoundSecMechList in the TAG_CSI_SEC_MECH_LIST
component in an IOR to select a mechanism that supports the options required by the client.
The options supported by a compound mechanism are the union (the logical OR) of the options supported by the transport_mech,
as_context_mech, and sas_context_mech fields of the CompoundSecMech structure.
The following table defines the semantics defined by the union of association options in compound mechanism definitions. Association
options for server to client authentication and message protection add additional semantics that are not represented in the
table.
Table 24-18Interpretation of Compound Mechanism Association Options
Semantic123456789 |
EstablishTrustInClient |
IdentityAssertion |
DelegationByClient |
||
Supported | Required | Supported | Supported | Required | |
No client identification | Don’t care2 | ||||
Presumed trust | X | ||||
Authentication optional | X | Don’t care | |||
Authentication optional, assertion supported | X | X | |||
Authentication Required | X | X | Don’t care | ||
Authentication Required, assertion supported | X | X | X | ||
Presumed trust including support for provided target restrictions | X | X | |||
Authentication optional, assertion supported including forward trust rules | X | X | X | ||
Authentication required, assertion supported including forward trust rules | X | X | X | X |
Table 24-18Interpretation of Compound Mechanism Association Options
Semantic10111213 |
EstablishTrustInClient |
IdentityAssertion |
DelegationByClient |
||
Supported | Required | Supported | Supported | Required | |
Presumed Trust including support for provided target restrictions, delegation token required which implies assertion required1 | X | X | X | ||
Authentication optional, assertion supported including forward trust rules, delegation token required which implies either client authentication or assertion required | X | X | X | X | |
Authentication required, delegation token required | X | X | X | X | |
Authentication required, assertion supported including forward trust rules, delegation token required | X | X | X | X | X |
1. If a delegation token is required, a non-anonymous client identity shall be established so that it can be endorsed by the delegation token. This same rule applies to row 11, and explains why there is no row that supports client authentication and requires a delegation token.
2. If DelegationByClient is supported, a delegation token may be provided, but it is not required to process the request