| draft-ietf-kitten-sasl-saml-ec-15.txt | draft-ietf-kitten-sasl-saml-ec-16.txt | |||
|---|---|---|---|---|
| Network Working Group S. Cantor | Network Working Group S. Cantor | |||
| Internet-Draft Shibboleth Consortium | Internet-Draft Shibboleth Consortium | |||
| Intended status: Standards Track S. Josefsson | Intended status: Standards Track S. Josefsson | |||
| Expires: October 26, 2017 SJD AB | Expires: April 27, 2018 SJD AB | |||
| April 24, 2017 | October 24, 2017 | |||
| SAML Enhanced Client SASL and GSS-API Mechanisms | SAML Enhanced Client SASL and GSS-API Mechanisms | |||
| draft-ietf-kitten-sasl-saml-ec-15.txt | draft-ietf-kitten-sasl-saml-ec-16.txt | |||
| Abstract | Abstract | |||
| Security Assertion Markup Language (SAML) 2.0 is a generalized | Security Assertion Markup Language (SAML) 2.0 is a generalized | |||
| framework for the exchange of security-related information between | framework for the exchange of security-related information between | |||
| asserting and relying parties. Simple Authentication and Security | asserting and relying parties. Simple Authentication and Security | |||
| Layer (SASL) and the Generic Security Service Application Program | Layer (SASL) and the Generic Security Service Application Program | |||
| Interface (GSS-API) are application frameworks to facilitate an | Interface (GSS-API) are application frameworks to facilitate an | |||
| extensible authentication model. This document specifies a SASL and | extensible authentication model. This document specifies a SASL and | |||
| GSS-API mechanism for SAML 2.0 that leverages the capabilities of a | GSS-API mechanism for SAML 2.0 that leverages the capabilities of a | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| scenarios. | scenarios. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 26, 2017. | This Internet-Draft will expire on April 27, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| skipping to change at page 28, line 32 ¶ | skipping to change at page 28, line 32 ¶ | |||
| [OASIS.saml-profiles-2.0-os] | [OASIS.saml-profiles-2.0-os] | |||
| Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, | Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, | |||
| P., Philpott, R., and E. Maler, "Profiles for the OASIS | P., Philpott, R., and E. Maler, "Profiles for the OASIS | |||
| Security Assertion Markup Language (SAML) V2.0", OASIS | Security Assertion Markup Language (SAML) V2.0", OASIS | |||
| Standard OASIS.saml-profiles-2.0-os, March 2005. | Standard OASIS.saml-profiles-2.0-os, March 2005. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| RFC 2617, DOI 10.17487/RFC2617, June 1999, | RFC 2617, DOI 10.17487/RFC2617, June 1999, | |||
| <http://www.rfc-editor.org/info/rfc2617>. | <https://www.rfc-editor.org/info/rfc2617>. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| RFC 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
| <http://www.rfc-editor.org/info/rfc3986>. | <https://www.rfc-editor.org/info/rfc3986>. | |||
| [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple | [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple | |||
| Authentication and Security Layer (SASL)", RFC 4422, | Authentication and Security Layer (SASL)", RFC 4422, | |||
| DOI 10.17487/RFC4422, June 2006, | DOI 10.17487/RFC4422, June 2006, | |||
| <http://www.rfc-editor.org/info/rfc4422>. | <https://www.rfc-editor.org/info/rfc4422>. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | |||
| <http://www.rfc-editor.org/info/rfc4648>. | <https://www.rfc-editor.org/info/rfc4648>. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
| DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
| <http://www.rfc-editor.org/info/rfc5246>. | <https://www.rfc-editor.org/info/rfc5246>. | |||
| [SAMLECP20] | [SAMLECP20] | |||
| Cantor, S., "SAML V2.0 Enhanced Client or Proxy Profile | Cantor, S., "SAML V2.0 Enhanced Client or Proxy Profile | |||
| Version 2.0", OASIS Committee Specification OASIS.sstc- | Version 2.0", OASIS Committee Specification OASIS.sstc- | |||
| saml-ecp-v2.0-cs01, August 2013. | saml-ecp-v2.0-cs01, August 2013. | |||
| [W3C.soap11] | [W3C.soap11] | |||
| Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., | Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., | |||
| Mendelsohn, N., Nielsen, H., Thatte, S., and D. Winer, | Mendelsohn, N., Nielsen, H., Thatte, S., and D. Winer, | |||
| "Simple Object Access Protocol (SOAP) 1.1", W3C | "Simple Object Access Protocol (SOAP) 1.1", W3C | |||
| Note soap11, May 2000, <http://www.w3.org/TR/SOAP/>. | Note soap11, May 2000, <http://www.w3.org/TR/SOAP/>. | |||
| 9.2. Normative References for GSS-API Implementers | 9.2. Normative References for GSS-API Implementers | |||
| [RFC2743] Linn, J., "Generic Security Service Application Program | [RFC2743] Linn, J., "Generic Security Service Application Program | |||
| Interface Version 2, Update 1", RFC 2743, | Interface Version 2, Update 1", RFC 2743, | |||
| DOI 10.17487/RFC2743, January 2000, | DOI 10.17487/RFC2743, January 2000, | |||
| <http://www.rfc-editor.org/info/rfc2743>. | <https://www.rfc-editor.org/info/rfc2743>. | |||
| [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | |||
| Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February | Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February | |||
| 2005, <http://www.rfc-editor.org/info/rfc3961>. | 2005, <https://www.rfc-editor.org/info/rfc3961>. | |||
| [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) | [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) | |||
| Encryption for Kerberos 5", RFC 3962, | Encryption for Kerberos 5", RFC 3962, | |||
| DOI 10.17487/RFC3962, February 2005, | DOI 10.17487/RFC3962, February 2005, | |||
| <http://www.rfc-editor.org/info/rfc3962>. | <https://www.rfc-editor.org/info/rfc3962>. | |||
| [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos | [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos | |||
| Version 5 Generic Security Service Application Program | Version 5 Generic Security Service Application Program | |||
| Interface (GSS-API) Mechanism: Version 2", RFC 4121, | Interface (GSS-API) Mechanism: Version 2", RFC 4121, | |||
| DOI 10.17487/RFC4121, July 2005, | DOI 10.17487/RFC4121, July 2005, | |||
| <http://www.rfc-editor.org/info/rfc4121>. | <https://www.rfc-editor.org/info/rfc4121>. | |||
| [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API | [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API | |||
| Extension for the Generic Security Service Application | Extension for the Generic Security Service Application | |||
| Program Interface (GSS-API)", RFC 4401, | Program Interface (GSS-API)", RFC 4401, | |||
| DOI 10.17487/RFC4401, February 2006, | DOI 10.17487/RFC4401, February 2006, | |||
| <http://www.rfc-editor.org/info/rfc4401>. | <https://www.rfc-editor.org/info/rfc4401>. | |||
| [RFC4402] Williams, N., "A Pseudo-Random Function (PRF) for the | [RFC4402] Williams, N., "A Pseudo-Random Function (PRF) for the | |||
| Kerberos V Generic Security Service Application Program | Kerberos V Generic Security Service Application Program | |||
| Interface (GSS-API) Mechanism", RFC 4402, | Interface (GSS-API) Mechanism", RFC 4402, | |||
| DOI 10.17487/RFC4402, February 2006, | DOI 10.17487/RFC4402, February 2006, | |||
| <http://www.rfc-editor.org/info/rfc4402>. | <https://www.rfc-editor.org/info/rfc4402>. | |||
| [RFC5554] Williams, N., "Clarifications and Extensions to the | [RFC5554] Williams, N., "Clarifications and Extensions to the | |||
| Generic Security Service Application Program Interface | Generic Security Service Application Program Interface | |||
| (GSS-API) for the Use of Channel Bindings", RFC 5554, | (GSS-API) for the Use of Channel Bindings", RFC 5554, | |||
| DOI 10.17487/RFC5554, May 2009, | DOI 10.17487/RFC5554, May 2009, | |||
| <http://www.rfc-editor.org/info/rfc5554>. | <https://www.rfc-editor.org/info/rfc5554>. | |||
| [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | |||
| Service Application Program Interface (GSS-API) Mechanisms | Service Application Program Interface (GSS-API) Mechanisms | |||
| in Simple Authentication and Security Layer (SASL): The | in Simple Authentication and Security Layer (SASL): The | |||
| GS2 Mechanism Family", RFC 5801, DOI 10.17487/RFC5801, | GS2 Mechanism Family", RFC 5801, DOI 10.17487/RFC5801, | |||
| July 2010, <http://www.rfc-editor.org/info/rfc5801>. | July 2010, <https://www.rfc-editor.org/info/rfc5801>. | |||
| [RFC6680] Williams, N., Johansson, L., Hartman, S., and S. | [RFC6680] Williams, N., Johansson, L., Hartman, S., and S. | |||
| Josefsson, "Generic Security Service Application | Josefsson, "Generic Security Service Application | |||
| Programming Interface (GSS-API) Naming Extensions", | Programming Interface (GSS-API) Naming Extensions", | |||
| RFC 6680, DOI 10.17487/RFC6680, August 2012, | RFC 6680, DOI 10.17487/RFC6680, August 2012, | |||
| <http://www.rfc-editor.org/info/rfc6680>. | <https://www.rfc-editor.org/info/rfc6680>. | |||
| [RFC7056] Hartman, S. and J. Howlett, "Name Attributes for the GSS- | [RFC7056] Hartman, S. and J. Howlett, "Name Attributes for the GSS- | |||
| API Extensible Authentication Protocol (EAP) Mechanism", | API Extensible Authentication Protocol (EAP) Mechanism", | |||
| RFC 7056, DOI 10.17487/RFC7056, December 2013, | RFC 7056, DOI 10.17487/RFC7056, December 2013, | |||
| <http://www.rfc-editor.org/info/rfc7056>. | <https://www.rfc-editor.org/info/rfc7056>. | |||
| 9.3. Informative References | 9.3. Informative References | |||
| [OASIS.saml-metadata-2.0-os] | [OASIS.saml-metadata-2.0-os] | |||
| Cantor, S., Moreh, J., Philpott, R., and E. Maler, | Cantor, S., Moreh, J., Philpott, R., and E. Maler, | |||
| "Metadata for the Security Assertion Markup Language | "Metadata for the Security Assertion Markup Language | |||
| (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March | (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March | |||
| 2005. | 2005. | |||
| [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
| Transfer Protocol -- HTTP/1.1", RFC 2616, | Transfer Protocol -- HTTP/1.1", RFC 2616, | |||
| DOI 10.17487/RFC2616, June 1999, | DOI 10.17487/RFC2616, June 1999, | |||
| <http://www.rfc-editor.org/info/rfc2616>. | <https://www.rfc-editor.org/info/rfc2616>. | |||
| [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence | [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence | |||
| Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920, | Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920, | |||
| October 2004, <http://www.rfc-editor.org/info/rfc3920>. | October 2004, <https://www.rfc-editor.org/info/rfc3920>. | |||
| [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based | [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based | |||
| Kerberos and NTLM HTTP Authentication in Microsoft | Kerberos and NTLM HTTP Authentication in Microsoft | |||
| Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, | Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, | |||
| <http://www.rfc-editor.org/info/rfc4559>. | <https://www.rfc-editor.org/info/rfc4559>. | |||
| [W3C.REC-xmlschema-1] | [W3C.REC-xmlschema-1] | |||
| Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, | Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, | |||
| "XML Schema Part 1: Structures", W3C REC-xmlschema-1, May | "XML Schema Part 1: Structures", W3C REC-xmlschema-1, May | |||
| 2001, <http://www.w3.org/TR/xmlschema-1/>. | 2001, <http://www.w3.org/TR/xmlschema-1/>. | |||
| [WSS-SAML] | [WSS-SAML] | |||
| Monzillo, R., "Web Services Security SAML Token Profile | Monzillo, R., "Web Services Security SAML Token Profile | |||
| Version 1.1.1", OASIS Standard OASIS.wss-SAMLTokenProfile, | Version 1.1.1", OASIS Standard OASIS.wss-SAMLTokenProfile, | |||
| May 2012. | May 2012. | |||
| skipping to change at page 33, line 14 ¶ | skipping to change at page 33, line 14 ¶ | |||
| Appendix B. Acknowledgments | Appendix B. Acknowledgments | |||
| The authors would like to thank Klaas Wierenga, Sam Hartman, Nico | The authors would like to thank Klaas Wierenga, Sam Hartman, Nico | |||
| Williams, Jim Basney, and Venkat Yekkirala for their contributions. | Williams, Jim Basney, and Venkat Yekkirala for their contributions. | |||
| Appendix C. Changes | Appendix C. Changes | |||
| This section to be removed prior to publication. | This section to be removed prior to publication. | |||
| o 15,16, avoid expiration | ||||
| o 14, address some minor comments | o 14, address some minor comments | |||
| o 13, clarify SAML metadata usage, adding a recommended Binding | o 13, clarify SAML metadata usage, adding a recommended Binding | |||
| value alongside the backward-compatibility usage of PAOS | value alongside the backward-compatibility usage of PAOS | |||
| o 12, clarifying comments based on WG feedback, with a normative | o 12, clarifying comments based on WG feedback, with a normative | |||
| change to use enctype numbers instead of names | change to use enctype numbers instead of names | |||
| o 11, update EAP Naming reference to RFC | o 11, update EAP Naming reference to RFC | |||
| skipping to change at page 34, line 12 ¶ | skipping to change at page 34, line 12 ¶ | |||
| o 01, SSH language added, noted non-assumption of HTTP error | o 01, SSH language added, noted non-assumption of HTTP error | |||
| handling, added guidance on life of security context. | handling, added guidance on life of security context. | |||
| o 00, Initial Revision, first WG-adopted draft. Removed support for | o 00, Initial Revision, first WG-adopted draft. Removed support for | |||
| unsolicited SAML responses. | unsolicited SAML responses. | |||
| Authors' Addresses | Authors' Addresses | |||
| Scott Cantor | Scott Cantor | |||
| Shibboleth Consortium | Shibboleth Consortium | |||
| 2740 Airport Drive | 1050 Carmack Rd | |||
| Columbus, Ohio 43219 | Columbus, Ohio 43212 | |||
| United States | United States | |||
| Phone: +1 614 247 6147 | Phone: +1 614 247 6147 | |||
| Email: cantor.2@osu.edu | Email: cantor.2@osu.edu | |||
| Simon Josefsson | Simon Josefsson | |||
| SJD AB | SJD AB | |||
| Hagagatan 24 | Hagagatan 24 | |||
| Stockholm 113 47 | Stockholm 113 47 | |||
| SE | SE | |||
| End of changes. 26 change blocks. | ||||
| 27 lines changed or deleted | 29 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||