draft-ietf-sasl-gs2.txt   rfc5801.txt 
Network Working Group S. Josefsson Internet Engineering Task Force (IETF) S. Josefsson
Internet-Draft SJD AB Request for Comments: 5801 SJD AB
Intended status: Standards Track N. Williams Category: Standards Track N. Williams
Expires: January 14, 2011 Oracle ISSN: 2070-1721 Oracle
July 13, 2010 July 2010
Using Generic Security Service Application Program Interface (GSS-API) Using Generic Security Service Application Program Interface (GSS-API)
Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanisms in Simple Authentication and Security Layer (SASL):
Mechanism Family The GS2 Mechanism Family
draft-ietf-sasl-gs2-21
Abstract Abstract
This document describes how to use a Generic Security Service This document describes how to use a Generic Security Service
Application Program Interface (GSS-API) mechanism in the the Simple Application Program Interface (GSS-API) mechanism in the Simple
Authentication and Security Layer (SASL) framework. This is done by Authentication and Security Layer (SASL) framework. This is done by
defining a new SASL mechanism family, called GS2. This mechanism defining a new SASL mechanism family, called GS2. This mechanism
family offers a number of improvements over the previous "SASL/ family offers a number of improvements over the previous "SASL/
GSSAPI" mechanism: it is more general, uses fewer messages for the GSSAPI" mechanism: it is more general, uses fewer messages for the
authentication phase in some cases, and supports negotiable use of authentication phase in some cases, and supports negotiable use of
channel binding. Only GSS-API mechanisms that support channel channel binding. Only GSS-API mechanisms that support channel
binding and mutual authentication are supported. binding and mutual authentication are supported.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This is an Internet Standards Track document.
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on January 14, 2011. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5801.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 3, line 7
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction ....................................................4
2. Conventions Used in This Document . . . . . . . . . . . . . . 5 2. Conventions Used in This Document ...............................5
3. Mechanism Name . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Mechanism Name ..................................................5
3.1. Generating SASL Mechanism Names from GSS-API OIDs . . . . 5 3.1. Generating SASL Mechanism Names from GSS-API OIDs ..........5
3.2. Computing Mechanism Names Manually . . . . . . . . . . . . 6 3.2. Computing Mechanism Names Manually .........................6
3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Examples ...................................................6
3.4. Grandfathered Mechanism Names . . . . . . . . . . . . . . 8 3.4. Grandfathered Mechanism Names ..............................7
4. SASL Authentication Exchange Message Format . . . . . . . . . 8 4. SASL Authentication Exchange Message Format .....................8
5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 10 5. Channel Bindings ...............................................10
5.1. Content of GSS-CHANNEL-BINDINGS Structure . . . . . . . . 11 5.1. Content of GSS-CHANNEL-BINDINGS Structure .................11
5.2. Default Channel Binding . . . . . . . . . . . . . . . . . 11 5.2. Default Channel Binding ...................................12
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6. Examples .......................................................12
7. Authentication Conditions . . . . . . . . . . . . . . . . . . 14 7. Authentication Conditions ......................................14
8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 14 8. GSS-API Parameters .............................................15
9. Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 9. Naming .........................................................15
10. GSS_Inquire_SASLname_for_mech Call . . . . . . . . . . . . . . 15 10. GSS_Inquire_SASLname_for_mech Call ............................15
10.1. gss_inquire_saslname_for_mech . . . . . . . . . . . . . . 17 10.1. gss_inquire_saslname_for_mech ............................16
11. GSS_Inquire_mech_for_SASLname Call . . . . . . . . . . . . . . 19 11. GSS_Inquire_mech_for_SASLname Call ............................18
11.1. gss_inquire_mech_for_saslname . . . . . . . . . . . . . . 20 11.1. gss_inquire_mech_for_saslname ............................19
12. Security Layers . . . . . . . . . . . . . . . . . . . . . . . 20 12. Security Layers ...............................................20
13. Interoperability with the SASL GSSAPI Mechanism . . . . . . . 21 13. Interoperability with the SASL GSSAPI Mechanism ...............20
13.1. The Interoperability Problem . . . . . . . . . . . . . . . 21 13.1. The Interoperability Problem .............................20
13.2. Resolving the Problem . . . . . . . . . . . . . . . . . . 21 13.2. Resolving the Problem ....................................20
13.3. Additional Recommendations . . . . . . . . . . . . . . . . 21 13.3. Additional Recommendations ...............................20
14. GSS-API Mechanisms That Negotiate Other Mechanisms . . . . . . 21 14. GSS-API Mechanisms That Negotiate Other Mechanisms ............21
14.1. The Interoperability Problem . . . . . . . . . . . . . . . 22 14.1. The Interoperability Problem .............................21
14.2. Security Problem . . . . . . . . . . . . . . . . . . . . . 22 14.2. Security Problem .........................................21
14.3. Resolving the Problems . . . . . . . . . . . . . . . . . . 22 14.3. Resolving the Problems ...................................21
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 15. IANA Considerations ...........................................22
16. Security Considerations . . . . . . . . . . . . . . . . . . . 23 16. Security Considerations .......................................22
17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 17. Acknowledgements ..............................................24
18. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 18. References ....................................................24
18.1. Normative References . . . . . . . . . . . . . . . . . . . 25 18.1. Normative References .....................................24
18.2. Informative References . . . . . . . . . . . . . . . . . . 25 18.2. Informative References ...................................25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
Generic Security Service Application Program Interface (GSS-API) Generic Security Service Application Program Interface (GSS-API)
[RFC2743] is a framework that provides security services to [RFC2743] is a framework that provides security services to
applications using a variety of authentication mechanisms. Simple applications using a variety of authentication mechanisms. Simple
Authentication and Security Layer (SASL) [RFC4422] is a framework to Authentication and Security Layer (SASL) [RFC4422] is a framework to
provide authentication and security layers for connection-based provide authentication and security layers for connection-based
protocols, also using a variety of mechanisms. This document protocols, also using a variety of mechanisms. This document
describes how to use a GSS-API mechanism as though it were a SASL describes how to use a GSS-API mechanism as though it were a SASL
skipping to change at page 24, line 35 skipping to change at page 24, line 8
The security considerations of SASL [RFC4422], the GSS-API [RFC2743], The security considerations of SASL [RFC4422], the GSS-API [RFC2743],
channel binding [RFC5056], any external channels (such as TLS, channel binding [RFC5056], any external channels (such as TLS,
[RFC5246], channel binding types (see the IANA channel binding type [RFC5246], channel binding types (see the IANA channel binding type
registry), and GSS-API mechanisms (such as the Kerberos V5 mechanism registry), and GSS-API mechanisms (such as the Kerberos V5 mechanism
[RFC4121] [RFC1964]), also apply. [RFC4121] [RFC1964]), also apply.
17. Acknowledgements 17. Acknowledgements
The history of GS2 can be traced to the "GSSAPI" mechanism originally The history of GS2 can be traced to the "GSSAPI" mechanism originally
specified by RFC 2222. This document was derived from specified by RFC 2222. This document was derived from [SASL-GSSAPI],
draft-ietf-sasl-gssapi-02 which was prepared by Alexey Melnikov with which was prepared by Alexey Melnikov with significant contributions
significant contributions from John G. Myers, although the majority from John G. Myers, although the majority of this document has been
of this document has been rewritten by the current authors. rewritten by the current authors.
Contributions of many members of the SASL mailing list are gratefully Contributions of many members of the SASL mailing list are gratefully
acknowledged. In particular, ideas and feedback from Pasi Eronen, acknowledged. In particular, ideas and feedback from Pasi Eronen,
Sam Hartman, Jeffrey Hutzelman, Alexey Melnikov, and Tom Yu improved Sam Hartman, Jeffrey Hutzelman, Alexey Melnikov, and Tom Yu improved
the document and the protocol. Other suggestions to the documents the document and the protocol. Other suggestions to the documents
were made by Spencer Dawkins, Ralph Droms, Adrian Farrel, Robert were made by Spencer Dawkins, Ralph Droms, Adrian Farrel, Robert
Sparks, and Glen Zorn. Sparks, and Glen Zorn.
18. References 18. References
skipping to change at page 25, line 39 skipping to change at page 25, line 11
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5554] Williams, N., "Clarifications and Extensions to the [RFC5554] Williams, N., "Clarifications and Extensions to the
Generic Security Service Application Program Interface Generic Security Service Application Program Interface
(GSS-API) for the Use of Channel Bindings", RFC 5554, (GSS-API) for the Use of Channel Bindings", RFC 5554,
May 2009. May 2009.
[CCITT.X690.2002] [CCITT.X690.2002]
International International Telephone and Telegraph International Telephone and Telegraph Consultative
Consultative Committee, "ASN.1 encoding rules: Committee, "ASN.1 encoding rules: Specification of basic
Specification of basic encoding Rules (BER), Canonical encoding Rules (BER), Canonical encoding rules (CER) and
encoding rules (CER) and Distinguished encoding rules Distinguished encoding rules (DER)", CCITT Recommendation
(DER)", CCITT Recommendation X.690, July 2002. X.690, July 2002.
[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", RFC 5929, July 2010. for TLS", RFC 5929, July 2010.
18.2. Informative References 18.2. Informative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
skipping to change at page 26, line 41 skipping to change at page 26, line 15
[RFC4752] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple [RFC4752] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple
Authentication and Security Layer (SASL) Mechanism", Authentication and Security Layer (SASL) Mechanism",
RFC 4752, November 2006. RFC 4752, November 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5587] Williams, N., "Extended Generic Security Service Mechanism [RFC5587] Williams, N., "Extended Generic Security Service Mechanism
Inquiry APIs", RFC 5587, July 2009. Inquiry APIs", RFC 5587, July 2009.
[RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, [RFC5802] Menon-Sen, A., Melnikov, A., Newman, C., and N. Williams,
"Salted Challenge Response Authentication Mechanism "Salted Challenge Response Authentication Mechanism
(SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010. (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010.
[MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle [MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
in Tunnelled Authentication", in Tunnelled Authentication", in 11th Security
WWW http://www.saunalahti.fi/~asokan/research/mitm.html. Protocols Workshop, 2002.
[SASL-GSSAPI]
Melnikov, A., "The Kerberos V5 ("GSSAPI") SASL mechanism",
Work in Progress, March 2005.
Authors' Addresses Authors' Addresses
Simon Josefsson Simon Josefsson
SJD AB SJD AB
Hagagatan 24 Hagagatan 24
Stockholm 113 47 Stockholm 113 47
SE SE
Email: simon@josefsson.org EMail: simon@josefsson.org
URI: http://josefsson.org/ URI: http://josefsson.org/
Nicolas Williams Nicolas Williams
Oracle Oracle
5300 Riata Trace Ct 5300 Riata Trace Ct
Austin, TX 78727 Austin, TX 78727
USA USA
Email: Nicolas.Williams@oracle.com EMail: Nicolas.Williams@oracle.com
 End of changes. 14 change blocks. 
70 lines changed or deleted 69 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/