draft-ietf-kitten-gss-naming-02.txt   draft-ietf-kitten-gss-naming-03.txt 
Network Working Group S. Hartman Network Working Group S. Hartman
Internet-Draft MIT Internet-Draft MIT
Expires: December 4, 2005 June 2, 2005 Expires: April 26, 2006 October 23, 2005
Desired Enhancements to GSSAPI Naming Desired Enhancements to GSSAPI Naming
draft-ietf-kitten-gss-naming-02.txt draft-ietf-kitten-gss-naming-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 4, 2005. This Internet-Draft will expire on April 26, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
The Generic Security Services API (GSS-API) provides a naming The Generic Security Services API (GSS-API) provides a naming
architecture that supports name-based authorization. GSS-API architecture that supports name-based authorization. GSS-API
authenticates two named parties to each other. Names can be stored authenticates two named parties to each other. Names can be stored
skipping to change at page 5, line 32 skipping to change at page 5, line 32
Performing a mapping from enterprise name to principal name is not Performing a mapping from enterprise name to principal name is not
generally possible for unauthenticated services. Even authenticated generally possible for unauthenticated services. Even authenticated
services may not be authorized to perform this mapping except for services may not be authorized to perform this mapping except for
their own name. Also, Kerberos does not (and does not plan to) their own name. Also, Kerberos does not (and does not plan to)
provide a mechanism for mapping enterprise names to principals provide a mechanism for mapping enterprise names to principals
besides authentication as the enterprise name. Thus, any such besides authentication as the enterprise name. Thus, any such
mapping would be vendor-specific. With this feature in Kerberos, it mapping would be vendor-specific. With this feature in Kerberos, it
is not possible to implement gss_canonicalize_name for enterprise is not possible to implement gss_canonicalize_name for enterprise
name types. name types.
Another issue arises with enterprise names. IN some cases it would Another issue arises with enterprise names. In some cases, it would
be desirable to put the enterprise name on the ACL instead of a be desirable to put the enterprise name on the ACL instead of a
principal name for greater ACL stability. At first glance this could principal name for greater ACL stability. At first glance this could
be accomplished by including the enterprise name in the name exported be accomplished by including the enterprise name in the name exported
by gss_export_name. Unfortunately, if this were done, the exported by gss_export_name. Unfortunately, if this were done, the exported
name would change whenever the mapping changed, invalidating any ACL name would change whenever the mapping changed, invalidating any ACL
entries based off the old exported name and defeating the purpose of entries based off the old exported name and defeating the purpose of
including the enterprise name in the exported name. In some cases it including the enterprise name in the exported name. In some cases it
would be desirable to have the exported name be based on the would be desirable to have the exported name be based on the
enterprise name and in others based on the principal name, but this enterprise name and in others based on the principal name, but this
is not permitted by the current GSS-API. is not permitted by the current GSS-API.
skipping to change at page 7, line 51 skipping to change at page 7, line 51
come from mechanism specific credentials. Components of these come from mechanism specific credentials. Components of these
mechanism specific credentials may come from platform or environment- mechanism specific credentials may come from platform or environment-
specific names. Mechanism specific naming and group membership can specific names. Mechanism specific naming and group membership can
be mapped into name attributes by the mechanism implementation. The be mapped into name attributes by the mechanism implementation. The
specific form of this mapping will generally require protocol specific form of this mapping will generally require protocol
specification for each mechanism. specification for each mechanism.
The value of many name attributes may be suitable for use in binary The value of many name attributes may be suitable for use in binary
comparison. This should enable applications to use these name comparison. This should enable applications to use these name
attributes on ACLs the same way exported names are now used on ACLs. attributes on ACLs the same way exported names are now used on ACLs.
For example if a particular Subjectaltname extension contains the For example if a particular SubjectAltname extension contains the
appropriate identity for an application, then the name attribute appropriate identity for an application, then the name attribute
for this Subjectaltname can be placed on the ACL. This is only true for this SubjectAltname can be placed on the ACL. This is only true
if the name attribute is stored in some canonical form. if the name attribute is stored in some canonical form.
4.2 Open issues 4.2 Open issues
This section describes parts of the proposal to add attributes to This section describes parts of the proposal to add attributes to
names that will need to be explored before the proposal can become a names that will need to be explored before the proposal can become a
protocol specification. protocol specification.
Are mechanisms expected to be able to carry arbitrary name attributes Are mechanisms expected to be able to carry arbitrary name attributes
as part of a context establishment? At first it seems like this as part of a context establishment? At first it seems like this
skipping to change at page 11, line 13 skipping to change at page 11, line 13
also be carried as part of the name in the mechanism also be carried as part of the name in the mechanism
6. Mechanisms for Export Name 6. Mechanisms for Export Name
Another proposal is to define some GSS-API mechanisms whose only Another proposal is to define some GSS-API mechanisms whose only
purpose is to have an exportable name form that is useful. For purpose is to have an exportable name form that is useful. For
example, you might be able to export a name as a local machine user example, you might be able to export a name as a local machine user
ID with such a mechanism. ID with such a mechanism.
This solution works well especially for name information that can be This solution works well especially for name information that can be
looked up in a directory. It was unclear from the p discussion looked up in a directory. It was unclear from the discussion whether
whether this solution would allow mechanism-specific name information this solution would allow mechanism-specific name information to be
to be extracted from a context. If so, then this solution would meet extracted from a context. If so, then this solution would meet many
many of the goals of this document. of the goals of this document.
One advantage of this solution is that it requires few if any changes One advantage of this solution is that it requires few if any changes
to GSS-API semantics. It is not as flexible as other solutions. to GSS-API semantics. It is not as flexible as other solutions.
Also, it is not clear how to handle mechanisms that do not have a Also, it is not clear how to handle mechanisms that do not have a
well defined name to export with this solution. well defined name to export with this solution.
7. Deferring Credential Binding 7. Selection of Source Identity
Currently GSS-API credentials represent a single mechanism name. Today, applications such as e-mail clients and web browsers require
While working on other issues discussion came up focused around connections to multiple targets. For each target the there may be
choosing the correct credential for a particular target. There are one or more source identities that is appropriate for the connection.
several situations where an implementation can do a better job of Currently each application must choose the source name to use when
choosing a default source name to use given the name of the target to acquiring credentials or initiating a security context. However the
connect to. Currently, GSS-API does not provide a mechanism to do rules that applications use can be generalized to a large extent.
this. Adding such a mechanism would be desirable. GSS-API could simplify application design and implementation by
taking a larger role in selection of source identity to use when
connecting to a particular target.
Currently GSS-API credentials represent a single mechanism name. that
is, by the time credentials are acquired, a particular single
identity must be chosen for each mechanism in the credential. All
these identities must correspond to a single mechanism independent
name.
Two possibilities have been proposed for involving GSS-API in the
selection of source identities. First, the restriction that a
mechanism name must be chosen when credentials are acquired could be
relaxed. Some name form would need to be used, but this name form
could represent a set of possibilities. The particular identity
would be chosen when context establishment happened. This could
involve information received from the target in identity selection.
Another possibility is to provide a mechanism to acquire credentials
and to provide information about the target when credentials are
acquired. This would be much less of a change to GSS-API but would
not allow information received from the target to choose identity
selection.
With both approaches, information to communicate the needs of the
application to the GSS-API mechanism will be required. For example,
hinting about whether information can be cached and about the scope
of cache entries is required.
8. Security Considerations 8. Security Considerations
GSS-API sets up a security context between two named parties. The GSS-API sets up a security context between two named parties. The
GSS-API names are security assertions that are authenticated by the GSS-API names are security assertions that are authenticated by the
context establishment process. As such the GSS naming architecture context establishment process. As such the GSS naming architecture
is critical to the security of GSS-API. is critical to the security of GSS-API.
Currently GSS-API uses a simplistic naming model for authorization. Currently GSS-API uses a simplistic naming model for authorization.
Names can be compared against a set of names on an access control Names can be compared against a set of names on an access control
 End of changes. 9 change blocks. 
18 lines changed or deleted 45 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/