3.1.5.7 Finalizing Negotiation
After the security mechanism has been selected, the initiator and the acceptor can use GSS_Inquire_context() to obtain the Negoex_Verify_key, as defined in section 3.1.5.8.4, to determine whether there is a shared key for the VERIFY_MESSAGE message specified in section 2.2.6.5.
If there is an established shared key and that key is returned by GSS_Inquire_context(), as defined in section 3.1.5.8.4, a VERIFY_MESSAGE message is produced using the checksum mechanism, as specified in [RFC3961], and that message is included in the output token.
The returned protocol key is used as the base key in [RFC3961] section 5.1, to sign all the NEGOEX messages in the negotiation context.
A VERIFY_MESSAGE message structure is specified in section 2.2.6.5.
The AuthScheme field denotes the security mechanism from which the protocol key was obtained.
The VERIFY_MESSAGE message can be included before the security context for the negotiated security mechanism is fully established.