Previous Table of Contents Next


24.2.6 Principal Names and Distinguished Names


   Principal names are carried in EstablishContext messages of the SAS protocol, where they may appear in the identity_token (the ITTPrincipalName discriminated type of an IdentityTokenType) or in the client_authentication_token, which is a GSS initial context token.

   Principal names are also present in the compound mechanisms defined within a TAG_CSI_SEC_MECH_LIST tagged component within IORs. The target_name field of the AS_ContextSec structure may contain a sequence of principal names corresponding to the authentication identities of the target (see “struct AS_ContextSec? on page 24-39). A principal name may be used as one variant of the ServiceSpecificName form used to identify one of the privilege_authorities within the SAS_ContextSec structure of a compound mechanism definition within a target IOR (see “struct SAS_ContextSec? on page 24-40).

   The principal names appearing in initial context tokens are in mechanism-specific; that is, internal form, and may be converted to GSS mechanism-independent exported name object format; that is, an external form by calling a mechanism-specific implementation of GSS_Export_name. The inverse translation is performed by a mechanism-specific implementation of GSS_Import_name. A mechanism-specific implementation of GSS_Display_name allows its caller to convert an internal name representation into a printable form with an associated mechanism type identifier.7

   The principal names in identity tokens — those in the target_name field of AS_ContextSec structures and those in the privilege_authorities field of SAS_ContextSec structures — are in external form (GSS_NT_ExportedName), and may be converted to internal form by calling the appropriate mechanism-specific GSS_import_name function.

   Distinguished names may appear within an identity token, either as an asserted identity or indirectly as the subject distinguished name within an asserted X.509 Identity Certificate. Distinguished names may also be derived from the underlying transport authentication layer if client authentication is done using SSL certificates. Distinguished names may also be used as a form of GeneralName in the GeneralNames variant of the ServiceSpecificName type. The ServiceSpecificName type is used to identify privilege_authorities within the SAS_ContextSec structure of a compound mechanism definition within a target IOR.