draft-ietf-kitten-gssapi-naming-exts-13.txt   draft-ietf-kitten-gssapi-naming-exts-14.txt 
KITTEN WORKING GROUP N. Williams KITTEN WORKING GROUP N. Williams
Internet-Draft Internet-Draft Cryptonector, LLC
Intended status: Standards Track L. Johansson Intended status: Standards Track L. Johansson
Expires: September 12, 2012 SUNET Expires: September 28, 2012 SUNET
S. Hartman S. Hartman
Painless Security Painless Security
S. Josefsson S. Josefsson
SJD AB SJD AB
March 11, 2012 March 27, 2012
GSS-API Naming Extensions GSS-API Naming Extensions
draft-ietf-kitten-gssapi-naming-exts-13 draft-ietf-kitten-gssapi-naming-exts-14
Abstract Abstract
The Generic Security Services API (GSS-API) provides a simple naming The Generic Security Services API (GSS-API) provides a simple naming
architecture that supports name-based authorization. This document architecture that supports name-based authorization. This document
introduces new APIs that extend the GSS-API naming model to support introduces new APIs that extend the GSS-API naming model to support
name attribute transfer between GSS-API peers. name attribute transfer between GSS-API peers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2012. This Internet-Draft will expire on September 28, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 32 skipping to change at page 3, line 32
7.6. GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . 12 7.6. GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . 12
7.6.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 14 7.6.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 14
7.7. GSS_Delete_name_attribute() . . . . . . . . . . . . . . . 14 7.7. GSS_Delete_name_attribute() . . . . . . . . . . . . . . . 14
7.7.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 15 7.7.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 15
7.8. GSS_Export_name_composite() . . . . . . . . . . . . . . . 15 7.8. GSS_Export_name_composite() . . . . . . . . . . . . . . . 15
7.8.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 16 7.8.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 16
8. IANA Considerations . . . . . . . . . . . . . . . . . . . 16 8. IANA Considerations . . . . . . . . . . . . . . . . . . . 16
9. Security Considerations . . . . . . . . . . . . . . . . . 16 9. Security Considerations . . . . . . . . . . . . . . . . . 16
10. References . . . . . . . . . . . . . . . . . . . . . . . . 17 10. References . . . . . . . . . . . . . . . . . . . . . . . . 17
10.1. Normative References . . . . . . . . . . . . . . . . . . . 17 10.1. Normative References . . . . . . . . . . . . . . . . . . . 17
10.2. Informative References . . . . . . . . . . . . . . . . . . 18 10.2. Informative References . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . 18
1. Conventions used in this document 1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] . document are to be interpreted as described in [RFC2119] .
2. Introduction 2. Introduction
skipping to change at page 8, line 4 skipping to change at page 8, line 4
than one component in an attribute name, the more significant than one component in an attribute name, the more significant
components define the semantics of the less significant components. components define the semantics of the less significant components.
Attribute names are represented as OCTET STRING elements in the API Attribute names are represented as OCTET STRING elements in the API
described below. These attribute names have syntax and semantics described below. These attribute names have syntax and semantics
that are understood by the application and by the lower-layer that are understood by the application and by the lower-layer
implementations (some of which are described below). implementations (some of which are described below).
If an attribute name contains a space (ASCII 0x20), the first space If an attribute name contains a space (ASCII 0x20), the first space
separates the most significant or primary component of the name from separates the most significant or primary component of the name from
the remainder. If there is no space, the primary component is the the remainder. We may refer to the primary component of the
entire name, otherwise it defines the interpretation of the remainder attribute name as the attribute name's "prefix". If there is no
of the name.s space, the primary component is the entire name, otherwise it defines
the interpretation of the remainder of the name.s
If the primary component contains an ASCII : (0x3a), then the primary If the primary component contains an ASCII : (0x3a), then the primary
component is a URI. Otherwise, the attribute is a local attribute component is a URI. Otherwise, the attribute is a local attribute
and the primary component has meaning to the implementation of GSS- and the primary component has meaning to the implementation of GSS-
API or to the specific configuration of the application. At this API or to the specific configuration of the application. Local
time, local attribute names are not standardized; there is debate attribute names with an at-sign ('@') in them are reserved for future
about whether such standardization will be useful. Any future allocation by the IETF.
standardizations will need to balance potential problems resulting
from attribute names used before standardization.
A sufficient prefix of attribute names needs to be dictated by a Since attribute names are split at the first space into prefix and
mechanism in order to describe the context. For example it would be suffix, there is a potential for ambiguity if a mechanism blindly
problematic to represent SAML attribute names as the name format URI, passes through a name attribute whose name it does not understand.
a space, and the remainder of the name. A carefully crafted SAML In order to prevent such ambiguities the mechanism MUST always prefix
assertion could appear to be a name from another mechanism or raw name attributes with a prefix that reflects the context of the
context. Typically a SAML attribute name would include a prefix attribute.
describing the trust model and other context of the attribute name.
Local attribute names under the control of an administrator or a Local attribute names under the control of an administrator or a
sufficiently trusted part of the platform need not have a prefix to sufficiently trusted part of the platform need not have a prefix to
describe context. describe context.
7. API 7. API
7.1. SET OF OCTET STRING 7.1. SET OF OCTET STRING
The construct SET OF OCTET STRING occurs once in RFC 2743 [RFC2743] The construct SET OF OCTET STRING occurs once in RFC 2743 [RFC2743]
skipping to change at page 18, line 20 skipping to change at page 18, line 16
Markup Language (SAML) V2.0", OASIS Standard saml-core- Markup Language (SAML) V2.0", OASIS Standard saml-core-
2.0-os, March 2005. 2.0-os, March 2005.
[RFC4768] Hartman, S., "Desired Enhancements to Generic Security [RFC4768] Hartman, S., "Desired Enhancements to Generic Security
Services Application Program Interface (GSS-API) Version 3 Services Application Program Interface (GSS-API) Version 3
Naming", RFC 4768, December 2006. Naming", RFC 4768, December 2006.
Authors' Addresses Authors' Addresses
Nicolas Williams Nicolas Williams
Cryptonector, LLC
Email: nico@cryptonector.com Email: nico@cryptonector.com
Leif Johansson Leif Johansson
Swedish University Network Swedish University Network
Thulegatan 11 Thulegatan 11
Stockholm Stockholm
Sweden Sweden
Email: leifj@sunet.se Email: leifj@sunet.se
 End of changes. 10 change blocks. 
21 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/