| Previous | Table of Contents | Next |
The SAS protocol is designed to exchange its protocol elements in the service context of GIOP request and reply messages that
are communicated over a connection-based transport. The protocol is intended to be used in environments where transport layer
security, such as that available via SSL/TLS or SECIOP, is used to provide message
July 2002 Common Object Request Broker Architecture (CORBA), v3.0 24-1
protection (that is, integrity and or confidentiality) and server-to-client authentication. The protocol provides client authentication,
delegation, and privilege functionality that may be applied to overcome corresponding deficiencies in an underlying transport.1
The SAS protocol facilitates interoperability by serving as the higher-level protocol under which secure transports may be
unified.
The SAS protocol is divided into two layers:
• The authentication layer is used to perform client authentication where sufficient authentication could not be accomplished in the transport.
• The attribute layer may be used by a client to push (that is, deliver) security attributes (identity and privilege) to a target where they may be applied in access control decisions.
The attribute layer also provides a means for a client to assert identity attributes that differ from the client’s authentication
identity (as established in the transport and/or SAS authentication layers). This identity assertion capability is the foundation
of a general-purpose impersonation mechanism that makes it possible for an intermediate to act on behalf of some identity
other than itself. An intermediate’s authority to act on behalf of another identity may be based on trust by the target in
the intermediate, or on trust by the target in a privilege authority that endorses the intermediate to act as proxy for the
asserted identity. Identity assertion may be used by an intermediate to assume the identity of its callers in its calls.
The SAS protocol is modeled after the Generic Security Service API (GSSAPI) token exchange paradigm. A client initiates a
context exchange by including a protocol element in the service context of its request that instructs the target to initiate
a security context. The target either rejects or accepts the context.2 When a target rejects a context, the target will reject
the request and return an exception that contains a SAS protocol element that identifies the reason the context was rejected.
When a target accepts a context, the reply to the request will carry a SAS protocol element that indicates that the context
was accepted.
The SAS protocol element sent to initiate a security context carries layer-specific security tokens as necessary to establish
the SAS authentication-layer and attribute-layer functionality corresponding to the context. Standard token formats are employed
to represent the layer-specific authentication and attribute tokens. If the context includes SAS authentication-layer functionality,
the protocol element will contain a mechanism-specific GSSAPI initial context token that authenticates the client to the target.
If the context includes attribute-layer privilege attributes (and possibly proxy
1. For example, the SSL/TLS protocol does not enforce client authentication. Moreover, in a given environment, certificate-based client authentication may not be feasible because clients often do not have a certificate.
2. In the GSSAPI protocol, a target can challenge a client for additional context-establishment information. This is not true of the SAS context protocol, which assumes that at most one message in each direction may be used to establish a context.
endorsements), they will be contained in an attribute certificate signed by a privilege authority and corresponding to the
subject of the invocation. If the context includes an attribute-layer identity assertion, the asserted identity will be represented
in a standard name form corresponding to the technology domain of the asserted identity.
The SAS protocol supports the establishment of both transient and reusable security contexts. Transient contexts, also known
as stateless contexts, exist only for the duration of the GIOP request that was used to establish the context. Reusable contexts,
also known as stateful contexts, endure until they are discarded, and can be referenced for use with subsequent requests.
The SAS protocol includes a simple negotiation protocol that defines a least-common-denominator form of interoperability between
implementations that support only transient contexts and those that support both transient and reusable forms.