Codec Freedom -- Specifications -- Connection Profiles -- GSS-API Security

At the onset of an MSRP session, it may choose to switch to a connection protected by GSS-API. The most commonly used implementation of GSS-API is Kerberos5, which brings both mutual authenticaiton and encryption. This would improve both the authenticity and the encryption of the data.

TODO: Part of this page is specific to MSRP, but we moved on to AMQP 1.0 because it is more general.

Indication through STARTGSS

Normally, an MSRP connection starts with keywords, such as SEND or perhaps MSRP; but if security through GSS-API is desired, it should instead start with the word STARTGSS, a space and a decimal number that fits in an unsigned 32-bit format, followed by a newline.

Both endpoints should send this sequence, and after each has sent its sequence it should wait until the other side sends it too. If the other side does not agree, it will send the same decimal number; if it sends another number the switch to TLS may proceed.

Dividing the Initiator and Acceptor Roles

The number helps to establish which endpoint plays the role of the GSS-API initiator, and which is the GSS-API acceptor. This sort of distinction is immaterial to MSRP, but GSS-API insists on such a division.

Values may be generated at random. Parties that intend to be an initiator should generate values in the range up to 1073741823 or 2^30-1; parties that intend to be an acceptor should generate values in the range starting from 3221225472 or 3*2^30. Any values between these turning points may be used to signal indifference about the role to play. When the values generated differ, and when not both aim for initiator or both aim for acceptor, the endpoint that sent the highest value becomes the acceptor and the other becomes the initiator.

Starting GSS-API and Continuing

After both parties have sent their STARTGSS commandline, the connection starts to build up a GSS-API context. During this exchange, the GSS-API byte strings to be sent are transmitted in binary form, since the underlying service is 8-bit clean, both in case of bit-insertion and packet mode. The identities exchanged MAY be used to validate the remote endpoint from either side, or from both sides.

As soon as the GSS-API handshake has established a mutual context, the internals of the GSS-API connection can be used to continue with the intended protocol -- basically, MSRP.

TODO: Optionality => how to handle refusal