draft-ietf-kitten-krb5-gssapi-prf-01.txt   draft-ietf-kitten-krb5-gssapi-prf-02.txt 
NETWORK WORKING GROUP N. Williams NETWORK WORKING GROUP N. Williams
Internet-Draft Sun Internet-Draft Sun
Expires: December 30, 2004 July 2004 Expires: December 30, 2004 July 2004
A PRF for the Kerberos V GSS-API Mechanism A PRF for the Kerberos V GSS-API Mechanism
draft-ietf-kitten-krb5-gssapi-prf-01.txt draft-ietf-kitten-krb5-gssapi-prf-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed, patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with and any of which I become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 4, line 13 skipping to change at page 4, line 13
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Kerberos V GSS Mechanism PRF 2. Kerberos V GSS Mechanism PRF
The GSS-API PRF [GSS-PRF] function for the Kerberos V mechanism [CFX] The GSS-API PRF [GSS-PRF] function for the Kerberos V mechanism [CFX]
shall be the output of a PRF+ function based on the enctype's PRF shall be the output of a PRF+ function based on the enctype's PRF
function keyed with the negotiated session key of the security function keyed with the negotiated session key of the security
context and key usage X (TBD). context and key usage X (TBD).
The security context MUST be fully established, else the mechanism The security context MUST be fully established, else the mechanism
MUST fail with GSS_S_FAILURE as the major status code and MUST fail with GSS_S_UNAVAILABLE as the major status code and
GSS_KRB5_S_KG_CTX_INCOMPLETE as the minor status code. GSS_KRB5_S_KG_CTX_INCOMPLETE as the minor status code.
This PRF+ MUST be keyed with a key derived, with key usage (TBD), This PRF+ MUST be keyed with a key derived, with key usage (TBD),
from the session used by the initiator and acceptor, after the from the session used by the initiator and acceptor, after the
security context is fully established, to derive keys for per-message security context is fully established, to derive keys for per-message
tokens. For the current Kerberos V mechanism [CFX] this means that tokens. For the current Kerberos V mechanism [CFX] this means that
the PRF+ MUST be keyed with the acceptor-asserted subkey, if it did the PRF+ MUST be keyed with the acceptor-asserted subkey, if it did
assert such a key, or the initiator's sub-session key otherwise. assert such a key, or the initiator's sub-session key otherwise.
The PRF+ function is a simple counter-based extension of the Kerberos The PRF+ function is a simple counter-based extension of the Kerberos
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/