Previous Table of Contents Next


24.6.1 Conformance Level 0


   Level 0 defines the base level of secure interoperability that all implementations are required to support. Level 0 requires support for SSL/TLS protected connections. Level 0 implementations are also required to support username/password client authentication and identity assertion by using the service context protocol defined in this specification.

   24.6.1.1 Transport-Layer Requirements

   Implementations shall support the Security Attribute Service (SAS) protocol within the service context lists of GIOP request and reply messages exchanged over SSL 3.0 and TLS 1.0 protected connections.

   Implementations shall also support the SAS protocol within the service context lists of GIOP request and reply messages over unprotected transports defined within IIOP.12

   12.SAS protocol elements should only be sent over unprotected transports within trusted environments.

   Required Ciphersuites

   Conforming implementations are required to support both SSL 3.0 and TLS 1.0 and the mandatory TLS 1.0 ciphersuites identified in [IETF RFC 2246]. Conforming implementations are also required to support the SSL 3.0 ciphersuites corresponding to the mandatory TLS 1.0 ciphersuites.

    An additional set of recommended ciphersuites is identified in Section 24.4.2.1, “Recommended SSL/TLS Ciphersuites,? on page 24-31.

   24.6.1.2 Service Context Protocol Requirements

   All implementations shall support the Security Attribute Service (SAS) context element protocol in the manner described in the following sections.

   Stateless Mode

   All implementations shall support the stateless CSS and stateless TSS modes of operation as defined in Section 24.3.2, “Session Semantics,? on page 24-21, and in the protocol message definitions appearing in Section 24.2.2, “SAS context_data Message Body Types,? on page 24-5.

   Client Authentication Tokens and Mechanisms

   All implementations shall support the username password (GSSUP) mechanism for client authentication as defined in Section 24.2.4.1, “Username Password GSS Mechanism (GSSUP),? on page 24-12.

   Identity Tokens and Identity Assertion

   All implementations shall support the identity assertion functionality defined in Section 24.3.1.1, “Context Validation,? on page 24-17 and the identity token formats and functionality defined in Section 24.2.5, “Identity Token Format,? on page 24-14.

   All implementations shall support GSSUP mechanism specific identity tokens of type ITTPrincipalName.

   Authorization Tokens (not required)

   At this level of conformance, implementations are not required to be capable of including an authorization token in the SAS protocol elements they send or of interpreting such tokens if they are included in received SAS protocol elements.

    The format of authorization tokens is defined in Section 24.2.3, “Authorization Token Format,? on page 24-10.

   24.6.1.3 Interoperable Object References (IORs)

   The security mechanism configuration of CSIv2 target objects, shall be as defined in Section 24.5.1, “Target Security Configuration,? on page 24-32, with the exception that Level 0 implementations are not required to support the DelegationByClient functionality described in Section 24.5.1.1, “AssociationOptions Type,? on page 24-33.