draft-ietf-kitten-gssapi-naming-exts-12.txt   draft-ietf-kitten-gssapi-naming-exts-13.txt 
KITTEN WORKING GROUP N. Williams KITTEN WORKING GROUP N. Williams
Internet-Draft Sun Internet-Draft
Intended status: Standards Track L. Johansson Intended status: Standards Track L. Johansson
Expires: June 19, 2012 SUNET Expires: September 12, 2012 SUNET
S. Hartman S. Hartman
Painless Security Painless Security
S. Josefsson S. Josefsson
SJD AB SJD AB
December 17, 2011 March 11, 2012
GSS-API Naming Extensions GSS-API Naming Extensions
draft-ietf-kitten-gssapi-naming-exts-12 draft-ietf-kitten-gssapi-naming-exts-13
Abstract Abstract
The Generic Security Services API (GSS-API) provides a simple naming The Generic Security Services API (GSS-API) provides a simple naming
architecture that supports name-based authorization. This document architecture that supports name-based authorization. This document
introduces new APIs that extend the GSS-API naming model to support introduces new APIs that extend the GSS-API naming model to support
name attribute transfer between GSS-API peers. name attribute transfer between GSS-API peers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 19, 2012. This Internet-Draft will expire on September 12, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 8, line 46 skipping to change at page 8, line 46
OCTET STRING as a buffer-set type in GFD.024 [GFD.024] which also OCTET STRING as a buffer-set type in GFD.024 [GFD.024] which also
provides one API for memory management of these structures. The provides one API for memory management of these structures. The
normative reference to GFD.024 [GFD.024] is for the buffer set normative reference to GFD.024 [GFD.024] is for the buffer set
functions defined in section 2.5 and the associated buffer set C functions defined in section 2.5 and the associated buffer set C
types defined in section 6 (namely gss_buffer_set_desc, types defined in section 6 (namely gss_buffer_set_desc,
gss_buffer_set_t, gss_create_empty_buffer_set, gss_buffer_set_t, gss_create_empty_buffer_set,
gss_add_buffer_set_member, gss_release_buffer_set). Nothing else gss_add_buffer_set_member, gss_release_buffer_set). Nothing else
from GFD.024 is required to implement this document. In particular, from GFD.024 is required to implement this document. In particular,
that document specify changes in behaviour existing GSS-API functions that document specify changes in behaviour existing GSS-API functions
in section 3: implementing those changes are not required to in section 3: implementing those changes are not required to
implement this document. Note that this document assumes buffer sets implement this document. Any implementation of SET OF OCTET STRING
allows for order preservation. for use by this specification MUST preserve order.
7.2. Const types 7.2. Const types
The C bindings for the new APIs uses some types from [RFC5587] to The C bindings for the new APIs uses some types from [RFC5587] to
avoid issues with the use of "const". The normative reference to avoid issues with the use of "const". The normative reference to
[RFC5587] is for the C types specified in Figure 1 of 3.4.6, nothing [RFC5587] is for the C types specified in Figure 1 of 3.4.6, nothing
else from that document is required to implement this document. else from that document is required to implement this document.
7.3. GSS_Display_name_ext() 7.3. GSS_Display_name_ext()
Inputs: Inputs:
skipping to change at page 13, line 28 skipping to change at page 13, line 28
o GSS_S_COMPLETE indicates no error. o GSS_S_COMPLETE indicates no error.
o GSS_S_UNAVAILABLE indicates that the given attribute NAME is not o GSS_S_UNAVAILABLE indicates that the given attribute NAME is not
known or could not be set. known or could not be set.
o GSS_S_FAILURE indicates a general error. o GSS_S_FAILURE indicates a general error.
When the given NAME object is an MN this function MUST fail (with When the given NAME object is an MN this function MUST fail (with
GSS_S_FAILURE) if the mechanism for which the name is an MN does not GSS_S_FAILURE) if the mechanism for which the name is an MN does not
recognize the attribute name or the namespace it belomgs to. This is recognize the attribute name or the namespace it belongs to. This is
because name attributes generally have some semantics that mechanisms because name attributes generally have some semantics that mechanisms
must understand. must understand.
On the other hand, when the given name is not an MN this function MAY On the other hand, when the given name is not an MN this function MAY
succeed even if none of the available mechanisms understand the given succeed even if none of the available mechanisms understand the given
attribute, in which subsequent credential acquisition attempts (via attribute, in which subsequent credential acquisition attempts (via
GSS_Acquire_cred() or GSS_Add_cred()) with the resulting name MUST GSS_Acquire_cred() or GSS_Add_cred()) with the resulting name MUST
fail for mechanisms that do not understand any one or more name fail for mechanisms that do not understand any one or more name
attributes set with this function. Applications may wish to use a attributes set with this function. Applications may wish to use a
non-MN, then acquire a credential with that name as the desired name. non-MN, then acquire a credential with that name as the desired name.
skipping to change at page 16, line 26 skipping to change at page 16, line 26
gss_release_buffer. gss_release_buffer.
OM_uint32 gss_export_name_composite( OM_uint32 gss_export_name_composite(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_const_name_t name, gss_const_name_t name,
gss_buffer_t exp_composite_name gss_buffer_t exp_composite_name
); );
8. IANA Considerations 8. IANA Considerations
This specification has no actions for IANA.
This document creates a namespace of GSS-API name attributes. This document creates a namespace of GSS-API name attributes.
Attributes are named by URIs, so no single authority is technically Attributes are named by URIs, so no single authority is technically
needed for allocation. However future deployment experience may needed for allocation. However future deployment experience may
indicate the need for an IANA registry for URIs used to reference indicate the need for an IANA registry for URIs used to reference
names specified by IETF standards. It is expected that this will be names specified by IETF standards. It is expected that this will be
a registry of URNs but this document provides no further guidance on a registry of URNs but this document provides no further guidance on
this registry. this registry.
9. Security Considerations 9. Security Considerations
skipping to change at page 17, line 38 skipping to change at page 17, line 40
10. References 10. References
10.1. Normative References 10.1. Normative References
[GFD.024] Argonne National Laboratory, National Center for [GFD.024] Argonne National Laboratory, National Center for
Supercomputing Applications, Argonne National Laboratory, Supercomputing Applications, Argonne National Laboratory,
and Argonne National Laboratory, "GSS-API Extensions", and Argonne National Laboratory, "GSS-API Extensions",
GFD GFD.024, June 2004. GFD GFD.024, June 2004.
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
(SPKM)", RFC 2025, October 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2744] Wray, J., "Generic Security Service API Version 2 : [RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000. C-bindings", RFC 2744, January 2000.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5587] Williams, N., "Extended Generic Security Service Mechanism [RFC5587] Williams, N., "Extended Generic Security Service Mechanism
Inquiry APIs", RFC 5587, July 2009. Inquiry APIs", RFC 5587, July 2009.
10.2. Informative References 10.2. Informative References
[OASIS.saml-core-2.0-os] [OASIS.saml-core-2.0-os]
Cantor, S., Kemp, J., Philpott, R., and E. Maler, Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocol for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
Markup Language (SAML) V2.0", OASIS Standard saml-core- Markup Language (SAML) V2.0", OASIS Standard saml-core-
2.0-os, March 2005. 2.0-os, March 2005.
[RFC3061] Mealling, M., "A URN Namespace of Object Identifiers",
RFC 3061, February 2001.
[RFC4768] Hartman, S., "Desired Enhancements to Generic Security [RFC4768] Hartman, S., "Desired Enhancements to Generic Security
Services Application Program Interface (GSS-API) Version 3 Services Application Program Interface (GSS-API) Version 3
Naming", RFC 4768, December 2006. Naming", RFC 4768, December 2006.
Authors' Addresses Authors' Addresses
Nicolas Williams Nicolas Williams
Sun Microsystems
5300 Riata Trace Ct
Austin, TX 78727
US
Email: Nicolas.Williams@sun.com Email: nico@cryptonector.com
Leif Johansson Leif Johansson
Swedish University Network Swedish University Network
Thulegatan 11 Thulegatan 11
Stockholm Stockholm
Sweden Sweden
Email: leifj@sunet.se Email: leifj@sunet.se
URI: http://www.sunet.se URI: http://www.sunet.se
Sam Hartman Sam Hartman
Painless Security Painless Security
Phone: Phone:
Fax: Fax:
Email: hartmans-ietf@mit.edu Email: hartmans-ietf@mit.edu
URI: URI:
Simon Josefsson Simon Josefsson
SJD AB SJD AB
 End of changes. 15 change blocks. 
29 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/