Frontmatter

©October 1997, The Open Group All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owners.

This document and the software to which it relates are derived in part from materials which are copyright © 1990, 1991 Digital Equipment Corporation and copyright © 1990, 1991 Hewlett-Packard Company.

Any comments relating to the material contained in this document may be submitted to The Open Group at:

The Open Group
Apex Plaza
Forbury Road
Reading
Berkshire, RG1 1AX
United Kingdom

OGSpecs@opengroup.org

Preface

The Open Group

The Open Group is the leading vendor-neutral, international consortium for buyers and suppliers of technology. Its mission is to cause the development of a viable global information infrastructure that is ubiquitous, trusted, reliable, and as easy-to-use as the telephone. The essential functionality embedded in this infrastructure is what we term the IT DialTone. The Open Group creates an environment where all elements involved in technology development can cooperate to deliver less costly and more flexible IT solutions.

Formed in 1996 by the merger of the X/Open Company Ltd. (founded in 1984) and the Open Software Foundation (founded in 1988), The Open Group is supported by most of the world's largest user organizations, information systems vendors, and software suppliers. By combining the strengths of open systems specifications and a proven branding scheme with collaborative technology development and advanced research, The Open Group is well positioned to meet its new mission, as well as to assist user organizations, vendors, and suppliers in the development and implementation of products supporting the adoption and proliferation of systems which conform to standard specifications.

With more than 200 member companies, The Open Group helps the IT industry to advance technologically while managing the change caused by innovation. It does this by:

• consolidating, prioritizing, and communicating customer requirements to vendors

• conducting research and development with industry, academia, and government agencies to deliver innovation and economy through projects associated with its Research Institute

• managing cost-effective development efforts that accelerate consistent multi-vendor deployment of technology in response to customer requirements

• adopting, integrating, and publishing industry standard specifications that provide an essential set of blueprints for building open information systems and integrating new technology as it becomes available

• licensing and promoting the Open Brand, represented by the "X" mark, that designates vendor products which conform to Open Group Product Standards

• promoting the benefits of the IT DialTone to customers, vendors, and the public.

The Open Group operates in all phases of the open systems technology lifecycle including innovation, market adoption, product development, and proliferation. Presently, it focuses on seven strategic areas: open systems application platform development, architecture, distributed systems management, interoperability, distributed computing environment, security, and the information superhighway. The Open Group is also responsible for the management of the UNIX trademark on behalf of the industry.

The Development of Product Standards

This process includes the identification of requirements for open systems and, now, the IT DialTone, development of CAE and Preliminary Specifications through an industry consensus review and adoption procedure (in parallel with formal standards work), and the development of tests and conformance criteria.

This leads to the preparation of a Product Standard which is the name used for the documentation that records the conformance requirements (and other information) to which a vendor may register a product. There are currently two forms of Product Standard, namely the Profile Definition and the Component Definition, although these will eventually be merged into one.

The "X" mark is used by vendors to demonstrate that their products conform to the relevant Product Standard. By use of the Open Brand they guarantee, through the X/Open Trade Mark Licence Agreement (TMLA), to maintain their products in conformance with the Product Standard so that the product works, will continue to work, and that any problems will be fixed by the vendor.

Open Group Publications

The Open Group publishes a wide range of technical documentation, the main part of which is focused on specification development and product documentation, but which also includes Guides, Snapshots, Technical Studies, Branding and Testing documentation, industry surveys, and business titles.

There are several types of specification:

• CAE Specifications

  CAE (Common Applications Environment) Specifications are the stable specifications that form the basis for our Product Standards, which are used to develop X/Open branded systems. These specifications are intended to be used widely within the industry for product development and procurement purposes.

  Anyone developing products that implement a CAE Specification can enjoy the benefits of a single, widely supported industry standard. Where appropriate, they can demonstrate product compliance through the Open Brand. CAE Specifications are published as soon as they are developed, so enabling vendors to proceed with development of conformant products without delay.
  

• Preliminary Specifications

  Preliminary Specifications usually address an emerging area of technology and consequently are not yet supported by multiple sources of stable conformant implementations. They are published for the purpose of validation through implementation of products. A Preliminary Specification is not a draft specification; rather, it is as stable as can be achieved, through applying The Open Group's rigorous development and review procedures.

  Preliminary Specifications are analogous to the trial-use standards issued by formal standards organizations, and developers are encouraged to develop products on the basis of them. However, experience through implementation work may result in significant (possibly upwardly incompatible) changes before its progression to becoming a CAE Specification. While the intent is to progress Preliminary Specifications to corresponding CAE Specifications, the ability to do so depends on consensus among Open Group members.
  

• Consortium and Technology Specifications

  The Open Group publishes specifications on behalf of industry consortia. For example, it publishes the NMF SPIRIT procurement specifications on behalf of the Network Management Forum. It also publishes Technology Specifications relating to OSF/1, DCE, OSF/Motif, and CDE.

  Technology Specifications (formerly AES Specifications) are often candidates for consensus review, and may be adopted as CAE Specifications, in which case the relevant Technology Specification is superseded by a CAE Specification.

In addition, The Open Group publishes:

• Product Documentation

  This includes product documentation-programmer's guides, user manuals, and so on-relating to the Pre-structured Technology Projects (PSTs), such as DCE and CDE. It also includes the Single UNIX Documentation, designed for use as common product documentation for the whole industry.

• Guides

  These provide information that is useful in the evaluation, procurement, development, or management of open systems, particularly those that relate to the CAE Specifications. The Open Group Guides are advisory, not normative, and should not be referenced for purposes of specifying or claiming conformance to a Product Standard.

• Technical Studies

  Technical Studies present results of analyses performed on subjects of interest in areas relevant to The Open Group's Technical Program. They are intended to communicate the findings to the outside world so as to stimulate discussion and activity in other bodies and the industry in general.

Versions and Issues of Specifications

As with all live documents, CAE Specifications require revision to align with new developments and associated international standards. To distinguish between revised specifications which are fully backwards compatible and those which are not:

• A new Version indicates there is no change to the definitive information contained in the previous publication of that title, but additions/extensions are included. As such, it replaces the previous publication.

• A new Issue indicates there is substantive change to the definitive information contained in the previous publication of that title, and there may also be additions/extensions. As such, both previous and new documents are maintained as current publications.

Corrigenda

Readers should note that Corrigenda may apply to any publication. Corrigenda information is published on the World-Wide Web at http://www.opengroup.org/public/pubs.

Ordering Information

Full catalogue and ordering information on all Open Group publications is available on the World-Wide Web at http://www.opengroup.org/public/pubs.

This Document

This document is a CAE Specification (see above). It specifies the DCE 1.1 security model, services, interfaces, and protocols. Its purpose is to provide a portability guide for security application programs and a conformance specification for DCE security implementations.

This document is organized as follows:

• Part 1 presents an introduction to issues in security and describes how general concepts in security are supported by DCE. Included new for DCE 1.1 are such topics as delegation, extended registry attributes, and extended login and password management.

• Part 2 defines in detail the security specifications, formats, protocols, and RPC interfaces supported by DCE. These include the following:

  • Infrastructure protocols and services, including checksum and encryption/decryption mechanisms, key distribution services, and privilege services

  • Access control lists (ACLs) and ACL managers

  • Delegation

  • Replication and propagation

  • Protected communication services

  • Higher-level facilities, including ACL editors, registration service, ID map facility, key management facility, login facility,and credentials facility

• Part 3 contains reference manual pages describing the following security APIs supported by DCE:

  • Access control list

  • Registry

    This API has significant additions for DCE 1.1.

  • ID map

  • Key management

  • Login

    This API has additions for delegation.

  • credentials.

• Part 4 contains a symbol mapping table, list of error codes,and a glossary. The error codes are new for DCE 1.1.

Intended Audience

This document is written for security application programmers and developers of DCE security implementations.

Typographic Conventions

The following typographical conventions are used throughout this document:

• Bold font is used for system elements that must be used literally, such as interface names and defined constants.

• Italic strings are used for emphasis or to identify the first instance of a word requiring definition. Italics in text also denote function names and variable values such as interface arguments.

• Normal font is used for the names of constants and literals.

• The notation <file.h> indicates a header file.

• The notation [EABCD] is used to identify an error value EABCD.

• Syntax, code examples and user input in interactive examples are shown in fixed width font.

• Variables within syntax statements are shown in italic fixed width font.

Trademarks

DECnet® and VAX® are registered trade marks of Digital Equipment Corporation.

Microsoft®, NetBIOS® and NetBEUI® are registered trade marks of Microsoft Corporation.

NetWare® is a registered trade mark of Novell, Inc.

Network Computing System® is a registered trade mark of Hewlett-Packard Company.

Postscript® is a registered trade mark of Adobe Systems Incorporated.

Statemate® is a registered trade mark of i-Logix Incorporated. System/370® and IBM® are registered trade marks of International Business Machines Corporation.

Motif®, OSF/1®, and UNIX® are registered trademarks and the IT DialTone^TM;, The Open Group^TM;, and the "X Device"^TM; are trademarks of The Open Group.

Referenced Documents

The following documents are referenced in this specification:

ANSI X3.92

American National Standards Institute, Inc. (ANSI): X3.92-1981, American National Standard Data Encryption Algorithm

ANSI X3.106

ANSI X3.106-1983, American National Standard for Information Systems - Data Encryption Algorithm - Modes of Operation

CCITT V.42

CCITT (now ITU-T) Recommendation V.42-1988.

CCITT X.208

CCITT (now ITU-T) Recommendation X.208-1988.

CCITT X.209

Recommendation X.209-1988 (Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1)).

CCITT X.509

Recommendation X.509-1988.

It is cited in CRC-32 . ISO/IEC 3309:1993(E) is equivalent for the purposes of that section.

DCE Directory

The Open Group CAE Specification, October 1997, The Open Group DCE 1.1: Directory Services (Publication number: C705).

DCE RPC

The Open Group CAE Specification, October 1997, The Open Group DCE 1.1: Remote Procedure Call (Publication number: C706).

DCE Time

The Open Group CAE Specification, November 1994, The Open Group DCE 1.1: Time Services (ISBN: 1-85912-067-9, C310).

ISO 8859-1

ISO 8859-1:1987, Information Processing - 8-bit Single-byte Coded Graphic Character Sets - Part 1: Latin Alphabet No. 1.

RFC 1321

The Internet document RFC 1321, by R. Rivest, dated April 1992.

RFC 1510

The Internet document RFC 1510, by J. Kohl and C. Neuman, dated September 1993.