[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Scram as a gs2 mechanism ABNF
Here are Nico and my notes on scram as a GSS-API mechanism.
My hope is that Chris and others will find this acceptable.
If not, there are changes to GS2 that could almost certainly make
Chris happy.
gs2-length = 4*octet
ctx-length = gs2-length
wrap-length = gs2-length
gs2-header = ctx-length wrap-length
der-definite-length = %00-%7F / %81 octet / %82 2*octet / %83 3*octet / %84 4*octet
gss-init-ctx-header = %60 der-definite-length "<constant encoded OID octet string here>"
scram-c1 = gs2-header gss-init-ctx-header username "," hash-list "," nonce
;; wrap-length here is 4*%00
scram-s1 = gs2-header nonce "," hash-list "," salt "," iteration-count
;; wrap-length here is 4*%00
mac = "m=" base64 ";"
;; This is a GSS wrap with integrity token for SCRAM; normally
;; this is all it will be, but a true SCRAM GSS mechanism may
;; have sequence numbers too
channel-binding = *(octet)
scram-c2-ctx = nonce "," proof
scram-c2-wrap = mac "," 4*%00 channel-binding 4*octet %00 [channel-binding] [authzid]
scram-c2 = gs2-header scram-c2-ctx scram-c2-wrap
scram-s2-ctx = verifier
scram-c2-wrap = mac "," ( %08 / %00 ) 3*%00
scram-s2 = gs2-header scram-s2-ctx scram-s2-wrap