| draft-josefsson-sasl-external-channel-03.txt | draft-josefsson-sasl-external-channel.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
| Internet-Draft SJD AB | Internet-Draft SJD AB | |||
| Intended status: Standards Track April 18, 2009 | Intended status: Standards Track May 25, 2009 | |||
| Expires: October 20, 2009 | Expires: November 26, 2009 | |||
| SASL Mechanism Family for External Authentication: EXTERNAL-* | SASL Mechanism Family for External Authentication: EXTERNAL-* | |||
| draft-josefsson-sasl-external-channel-03 | draft-josefsson-sasl-external-channel-04 | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. This document may contain material | provisions of BCP 78 and BCP 79. This document may contain material | |||
| from IETF Documents or IETF Contributions published or made publicly | from IETF Documents or IETF Contributions published or made publicly | |||
| available before November 10, 2008. The person(s) controlling the | available before November 10, 2008. The person(s) controlling the | |||
| copyright in some of this material may not have granted the IETF | copyright in some of this material may not have granted the IETF | |||
| Trust the right to allow modifications of such material outside the | Trust the right to allow modifications of such material outside the | |||
| IETF Standards Process. Without obtaining an adequate license from | IETF Standards Process. Without obtaining an adequate license from | |||
| skipping to change at page 1, line 42 | skipping to change at page 1, line 42 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on October 20, 2009. | This Internet-Draft will expire on November 26, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents in effect on the date of | |||
| publication of this document (http://trustee.ietf.org/license-info). | publication of this document (http://trustee.ietf.org/license-info). | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 5, line 40 | skipping to change at page 5, line 40 | |||
| ;; as defined in RFC 3629. | ;; as defined in RFC 3629. | |||
| UTF8-1-no-nul = %x01-7F | UTF8-1-no-nul = %x01-7F | |||
| There are no additional challenges and responses. | There are no additional challenges and responses. | |||
| Hence, the server is to return the outcome of the authentication | Hence, the server is to return the outcome of the authentication | |||
| exchange. | exchange. | |||
| The external security channel to use is implied by the SASL mechanism | The external security channel to use is implied by the SASL mechanism | |||
| name. | name. The channel has to be uniquely identifiable at both cliend and | |||
| server side. This means that mechanisms registered in this family | ||||
| MUST detail which channel should be chosen if there are layered | ||||
| channels of the same type. | ||||
| The exchange fails if | The exchange fails if | |||
| - the client has not established its credentials via the indicated | - the client has not established its credentials via the indicated | |||
| external channel, | external channel, | |||
| - the client's credentials are inadequate, | - the client's credentials are inadequate, | |||
| - the client provided an empty authorization identity string and the | - the client provided an empty authorization identity string and the | |||
| server is unwilling or unable to associate an authorization identity | server is unwilling or unable to associate an authorization identity | |||
| with the client's credentials, | with the client's credentials, | |||
| - the client provided a non-empty authorization identity string that | - the client provided a non-empty authorization identity string that | |||
| is invalid per the syntax requirements of the applicable application | is invalid per the syntax requirements of the applicable application | |||
| protocol specification, | protocol specification, | |||
| - the client provided a non-empty authorization identity string | - the client provided a non-empty authorization identity string | |||
| representing an identity that the client is not allowed to act as, or | representing an identity that the client is not allowed to act as, or | |||
| - the server is unwilling or unable to provide service to the client | - the server is unwilling or unable to provide service to the client | |||
| for any other reason. | for any other reason. | |||
| skipping to change at page 9, line 9 | skipping to change at page 9, line 12 | |||
| While this registration procedure does not require expert review, | While this registration procedure does not require expert review, | |||
| authors of SASL mechanisms are encouraged to seek community review | authors of SASL mechanisms are encouraged to seek community review | |||
| and comment whenever that is feasible. Authors may seek community | and comment whenever that is feasible. Authors may seek community | |||
| review by posting a specification of their proposed mechanism as an | review by posting a specification of their proposed mechanism as an | |||
| Internet-Draft. SASL mechanisms intended for widespread use should | Internet-Draft. SASL mechanisms intended for widespread use should | |||
| be standardized through the normal IETF process, when appropriate. | be standardized through the normal IETF process, when appropriate. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| The security of external channel is critical to the security of this | The security of external channel is critical to the security of this | |||
| mechanism. It is important that the client authentication that | mechanism. It is important that the client authentication provided | |||
| occurs in the outer security channel is cryptographically bound to | by the security channel is securely bound to any confidentiality or | |||
| the confidentiality or integrity services that protects the security | integrity services that protects the security channel. | |||
| channel. | ||||
| The EXTERNAL-* mechanism family does not authenticate clients itself, | The EXTERNAL-* mechanism family does not authenticate clients itself, | |||
| it relies on implementation to perform the authentication as part of | it relies on implementation to perform the authentication as part of | |||
| the external channel. Care must be taken to ensure that the client | the external channel. Care must be taken to ensure that the client | |||
| credential has been authenticated, rather than just blindly accepted | credential has been authenticated, rather than just blindly accepted | |||
| as part of a leap-of-faith setup. | as part of a leap-of-faith setup. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Significant amount of text in this document is copied from SASL | Significant amount of text in this document is copied from SASL | |||
| skipping to change at page 10, line 5 | skipping to change at page 9, line 48 | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||
| [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | |||
| Security Layer (SASL)", RFC 4422, June 2006. | Security Layer (SASL)", RFC 4422, June 2006. | |||
| [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, January 2008. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | ||||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | ||||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC2244] Newman, C. and J. Myers, "ACAP -- Application | [RFC2244] Newman, C. and J. Myers, "ACAP -- Application | |||
| Configuration Access Protocol", RFC 2244, November 1997. | Configuration Access Protocol", RFC 2244, November 1997. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, December 2005. | Internet Protocol", RFC 4301, December 2005. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | ||||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | ||||
| [RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, | [RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, | |||
| "Using the Secure Remote Password (SRP) Protocol for TLS | "Using the Secure Remote Password (SRP) Protocol for TLS | |||
| Authentication", RFC 5054, November 2007. | Authentication", RFC 5054, November 2007. | |||
| [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport | [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport | |||
| Layer Security (TLS) Authentication", RFC 5081, | Layer Security (TLS) Authentication", RFC 5081, | |||
| November 2007. | November 2007. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| End of changes. 9 change blocks. | ||||
| 13 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||