draft-ietf-abfab-gss-eap-naming-06.txt   draft-ietf-abfab-gss-eap-naming-07.txt 
Network Working Group S. Hartman Network Working Group S. Hartman
Internet-Draft Painless Security Internet-Draft Painless Security
Intended status: Standards Track J. Howlett Intended status: Standards Track J. Howlett
Expires: April 7, 2013 JANET(UK) Expires: May 18, 2013 JANET(UK)
October 4, 2012 November 14, 2012
Name Attributes for the GSS-API EAP mechanism Name Attributes for the GSS-API EAP mechanism
draft-ietf-abfab-gss-eap-naming-06 draft-ietf-abfab-gss-eap-naming-07
Abstract Abstract
The naming extensions to the Generic Security Services Application The naming extensions to the Generic Security Services Application
Programming interface provide a mechanism for applications to Programming interface provide a mechanism for applications to
discover authorization and personalization information associated discover authorization and personalization information associated
with GSS-API names. The Extensible Authentication Protocol GSS-API with GSS-API names. The Extensible Authentication Protocol GSS-API
mechanism allows an Authentication/Authorization/Accounting peer to mechanism allows an Authentication/Authorization/Accounting peer to
provide authorization attributes along side an authentication provide authorization attributes along side an authentication
response. It also provides mechanisms to process Security Assertion response. It also provides mechanisms to process Security Assertion
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 7, 2013. This Internet-Draft will expire on May 18, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
6. Names of SAML Attributes in the Federated Context . . . . . . 9 6. Names of SAML Attributes in the Federated Context . . . . . . 9
6.1. Assertions . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1. Assertions . . . . . . . . . . . . . . . . . . . . . . . . 9
6.2. SAML Attributes . . . . . . . . . . . . . . . . . . . . . 9 6.2. SAML Attributes . . . . . . . . . . . . . . . . . . . . . 9
6.3. SAML Name Identifiers . . . . . . . . . . . . . . . . . . 10 6.3. SAML Name Identifiers . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8.1. Registration of the GSS URN Namespace . . . . . . . . . . 12 8.1. Registration of the GSS URN Namespace . . . . . . . . . . 12
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . . 15 10.1. Normative References . . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . . 15 10.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
The naming extensions [I-D.ietf-kitten-gssapi-naming-exts] to the The naming extensions [I-D.ietf-kitten-gssapi-naming-exts] to the
Generic Security Services Application Programming interface (GSS-API) Generic Security Services Application Programming interface (GSS-API)
[RFC2743] provide a mechanism for applications to discover [RFC2743] provide a mechanism for applications to discover
authorization and personalization information associated with GSS-API authorization and personalization information associated with GSS-API
names. The Extensible Authentication Protocol GSS-API mechanism names. The Extensible Authentication Protocol GSS-API mechanism
[I-D.ietf-abfab-gss-eap] allows an Authentication/Authorization/ [I-D.ietf-abfab-gss-eap] allows an Authentication/Authorization/
skipping to change at page 9, line 16 skipping to change at page 9, line 16
6.1. Assertions 6.1. Assertions
An assertion generated by the credential source is named by An assertion generated by the credential source is named by
"urn:ietf:params:gss:federated-saml-assertion". The value of this "urn:ietf:params:gss:federated-saml-assertion". The value of this
attribute is the assertion carried in the AAA protocol or used for attribute is the assertion carried in the AAA protocol or used for
authentication in a SAML mechanism. This attribute is absent from a authentication in a SAML mechanism. This attribute is absent from a
given acceptor name if no such assertion is present or if the given acceptor name if no such assertion is present or if the
assertion fails local policy checks. assertion fails local policy checks.
This attribute is returned with the authenticated output of When GSS_Get_name_attribute is called, This attribute will be
GSS_Get_name_attribute true only when the mechanism can successfully returned with the authenticated output set to true only if the
authenticated the SAML statement. For the GSS-EAP mechanism this is mechanism can successfully authenticate the SAML statement. For the
true if the AAA exchange has successfully authenticated. However, GSS-EAP mechanism this is true if the AAA exchange has successfully
uses of the GSS-API MUST confirm that the attribute is marked authenticated. However, uses of the GSS-API MUST confirm that the
authenticated as other mechanisms MAY permit an initiator to provide attribute is marked authenticated as other mechanisms MAY permit an
an unauthenticated SAML statement. initiator to provide an unauthenticated SAML statement.
Mechanisms MAY perform additional local policy checks and MAY remove Mechanisms MAY perform additional local policy checks and MAY remove
the attribute corresponding to assertions that fail these checks. the attribute corresponding to assertions that fail these checks.
6.2. SAML Attributes 6.2. SAML Attributes
Each attribute carried in the assertion SHOULD also be a GSS name Each attribute carried in the assertion SHOULD also be a GSS name
attribute. The name of this attribute has three parts, all separated attribute. The name of this attribute has three parts, all separated
by an ASCII space character. The first part is by an ASCII space character. The first part is
urn:ietf:params:gss:federated-saml-attribute. The second part is the urn:ietf:params:gss:federated-saml-attribute. The second part is the
URI for the <saml:Attribute> element's NameFormat XML attribute. The URI for the <saml:Attribute> element's NameFormat XML attribute. The
final part is the <saml:Attribute> element's Name XML attribute. The final part is the <saml:Attribute> element's Name XML attribute. The
SAML attribute name may itself contain spaces. As required by the SAML attribute name may itself contain spaces. As required by the
URI specification, spaces within a URI are encoded as "%20". Spaces URI specification, spaces within a URI are encoded as "%20". Spaces
within a URI, including either the first or second part of the name, within a URI, including either the first or second part of the name,
encoding as "%20" do not separate parts of the GSS-API attribute encoded as "%20" do not separate parts of the GSS-API attribute name;
name; they are simply part of the URI. they are simply part of the URI.
As an example, if the eduPersonEntitlement attribute is present in an As an example, if the eduPersonEntitlement attribute is present in an
assertion, then an attribute with the name assertion, then an attribute with the name
"urn:ietf:params:gss:federated-saml-attribute "urn:ietf:params:gss:federated-saml-attribute
urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:uri
urn:oid:1.3.6.1.4.1.5923.1.1.1.7" could be returned from urn:oid:1.3.6.1.4.1.5923.1.1.1.7" could be returned from
GSS_Inquire_Name. If an application calls GSS_Get_name_attribute GSS_Inquire_Name. If an application calls GSS_Get_name_attribute
with this attribute in the attr parameter then the values output with this attribute in the attr parameter then the values output
would include one or more URIs of entitlements that were associated would include one or more URIs of entitlements that were associated
with the authenticated user. with the authenticated user.
If the content of each <saml:AttributeValue> element is a simple text If the content of each <saml:AttributeValue> element is a simple text
node (or nodes), then the raw and "display" values of the GSS name node (or nodes), then the raw and "display" values of the GSS name
attribute MUST be the text content of the element(s). The raw value attribute MUST be the text content of the element(s). The raw value
MUST be encoded as UTF-8. MUST be encoded as UTF-8.
If the value is not simple or is empty, then the raw value(s) of the If the value is not simple or is empty, then the raw value(s) of the
GSS name attribute MUST be the well-formed serialization of the GSS name attribute MUST be a namespace well-formed serialization
<saml:AttributeValue> element(s) encoded as UTF-8. The "display" [XMLNS]of the <saml:AttributeValue> element(s) encoded as UTF-8. The
values are implementation-defined. "display" values are implementation-defined.
These attributes SHOULD be marked authenticated if they are contained These attributes SHOULD be marked authenticated if they are contained
in SAML assertions that have been successfully validated back to the in SAML assertions that have been successfully validated back to the
trusted source of the peer credential. In the GSS-EAP mechanism, a trusted source of the peer credential. In the GSS-EAP mechanism, a
SAML assertion carried in an integrity-protected and authenticated SAML assertion carried in an integrity-protected and authenticated
AAA protocol SHALL be successfully validated; attributes from that AAA protocol SHALL be successfully validated; attributes from that
assertion SHALL be returned from GSS_Get_name_attribute with the assertion SHALL be returned from GSS_Get_name_attribute with the
authenticated output set to true. An implementation MAY apply local authenticated output set to true. An implementation MAY apply local
policy checks to each attribute in this assertion and discard the policy checks to each attribute in this assertion and discard the
attribute if it is unacceptable according to these checks. attribute if it is unacceptable according to these checks.
skipping to change at page 15, line 47 skipping to change at page 15, line 47
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
IETF URN Sub-namespace for Registered Protocol IETF URN Sub-namespace for Registered Protocol
Parameters", BCP 73, RFC 3553, June 2003. Parameters", BCP 73, RFC 3553, June 2003.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[XMLNS] W3C, "XML Namespaces Conformance", 2009, <http://
www.w3.org/TR/2009/REC-xml-names-20091208/#Conformance>.
10.2. Informative References 10.2. Informative References
[I-D.ietf-abfab-aaa-saml] [I-D.ietf-abfab-aaa-saml]
Howlett, J. and S. Hartman, "A RADIUS Attribute, Binding Howlett, J. and S. Hartman, "A RADIUS Attribute, Binding
and Profiles for SAML", draft-ietf-abfab-aaa-saml-03 (work and Profiles for SAML", draft-ietf-abfab-aaa-saml-04 (work
in progress), March 2012. in progress), October 2012.
[I-D.ietf-kitten-sasl-saml-ec] [I-D.ietf-kitten-sasl-saml-ec]
Cantor, S. and S. Josefsson, "SAML Enhanced Client SASL Cantor, S. and S. Josefsson, "SAML Enhanced Client SASL
and GSS-API Mechanisms", draft-ietf-kitten-sasl-saml-ec-03 and GSS-API Mechanisms", draft-ietf-kitten-sasl-saml-ec-04
(work in progress), September 2012. (work in progress), October 2012.
Authors' Addresses Authors' Addresses
Sam Hartman Sam Hartman
Painless Security Painless Security
Email: hartmans-ietf@mit.edu Email: hartmans-ietf@mit.edu
Josh Howlett Josh Howlett
JANET(UK) JANET(UK)
 End of changes. 10 change blocks. 
21 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/