Diff: draft-ietf-sasl-gs2-16.txt - draft-ietf-sasl-gs2-17.txt

	draft-ietf-sasl-gs2-16.txt	draft-ietf-sasl-gs2-17.txt

	Network Working Group S. Josefsson	Network Working Group S. Josefsson
	Internet-Draft SJD AB	Internet-Draft SJD AB
	Intended status: Standards Track N. Williams	Intended status: Standards Track N. Williams

	Expires: February 5, 2010 Sun Microsystems	Expires: March 13, 2010 Sun Microsystems
	August 4, 2009	September 9, 2009

	Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family	Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family

	draft-ietf-sasl-gs2-16	draft-ietf-sasl-gs2-17

	Status of this Memo	Status of this Memo

	This Internet-Draft is submitted to IETF in full conformance with the	This Internet-Draft is submitted to IETF in full conformance with the
	provisions of BCP 78 and BCP 79. This document may contain material	provisions of BCP 78 and BCP 79. This document may contain material
	from IETF Documents or IETF Contributions published or made publicly	from IETF Documents or IETF Contributions published or made publicly
	available before November 10, 2008. The person(s) controlling the	available before November 10, 2008. The person(s) controlling the
	copyright in some of this material may not have granted the IETF	copyright in some of this material may not have granted the IETF
	Trust the right to allow modifications of such material outside the	Trust the right to allow modifications of such material outside the
	IETF Standards Process. Without obtaining an adequate license from	IETF Standards Process. Without obtaining an adequate license from

	skipping to change at page 1, line 43	skipping to change at page 1, line 43
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."

	The list of current Internet-Drafts can be accessed at	The list of current Internet-Drafts can be accessed at
	http://www.ietf.org/ietf/1id-abstracts.txt.	http://www.ietf.org/ietf/1id-abstracts.txt.

	The list of Internet-Draft Shadow Directories can be accessed at	The list of Internet-Draft Shadow Directories can be accessed at
	http://www.ietf.org/shadow.html.	http://www.ietf.org/shadow.html.


	This Internet-Draft will expire on February 5, 2010.	This Internet-Draft will expire on March 13, 2010.

	Copyright Notice	Copyright Notice

	Copyright (c) 2009 IETF Trust and the persons identified as the	Copyright (c) 2009 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents in effect on the date of	Provisions Relating to IETF Documents in effect on the date of
	publication of this document (http://trustee.ietf.org/license-info).	publication of this document (http://trustee.ietf.org/license-info).
	Please review these documents carefully, as they describe your rights	Please review these documents carefully, as they describe your rights

	skipping to change at page 6, line 5	skipping to change at page 6, line 5
	SHA-1 hash [FIPS.180-1.1995] string computed over the ASN.1 DER	SHA-1 hash [FIPS.180-1.1995] string computed over the ASN.1 DER
	encoding [CCITT.X690.2002], including the tag and length octets, of	encoding [CCITT.X690.2002], including the tag and length octets, of
	the GSS-API mechanism's Object Identifier. The Base32 rules on	the GSS-API mechanism's Object Identifier. The Base32 rules on
	padding characters and characters outside of the base32 alphabet are	padding characters and characters outside of the base32 alphabet are
	not relevant to this use of Base32. If any padding or non-alphabet	not relevant to this use of Base32. If any padding or non-alphabet
	characters are encountered, the name is not a GS2 family mechanism	characters are encountered, the name is not a GS2 family mechanism
	name. This name denotes that the server does not support channel	name. This name denotes that the server does not support channel
	binding. Add the suffix "-PLUS" and the resulting name denotes that	binding. Add the suffix "-PLUS" and the resulting name denotes that
	the server does support channel binding.	the server does support channel binding.


		A GS2 mechanism that has a non-OID-derived SASL mechanism name is
		said to have a "user friendly SASL mechanism name".

	3.2. Computing mechanism names manually	3.2. Computing mechanism names manually

	The hash-derived GS2 SASL mechanism name may be computed manually.	The hash-derived GS2 SASL mechanism name may be computed manually.
	This is useful when the set of supported GSS-API mechanisms is known	This is useful when the set of supported GSS-API mechanisms is known
	in advance. This obliterate the need to implement Base32, SHA-1 and	in advance. This obliterate the need to implement Base32, SHA-1 and
	DER in the SASL mechanism. The computed mechanism name can be used	DER in the SASL mechanism. The computed mechanism name can be used
	directly in the implementation, and the implementation need not	directly in the implementation, and the implementation need not
	concern itself with that the mechanism is part of a mechanism family.	concern itself with that the mechanism is part of a mechanism family.

	3.3. Examples	3.3. Examples

	skipping to change at page 14, line 32	skipping to change at page 14, line 32
	Return major_status codes:	Return major_status codes:

	o GSS_S_COMPLETE indicates successful completion, and that	o GSS_S_COMPLETE indicates successful completion, and that
	output parameters holds correct information.	output parameters holds correct information.

	o GSS_S_BAD_MECH indicates that a desired_mech was unsupported	o GSS_S_BAD_MECH indicates that a desired_mech was unsupported
	by the GSS-API implementation.	by the GSS-API implementation.

	The GSS_Inquire_SASLname_for_mech call is used to get the SASL	The GSS_Inquire_SASLname_for_mech call is used to get the SASL
	mechanism name for a GSS-API mechanism. It also returns a name	mechanism name for a GSS-API mechanism. It also returns a name

	and description of the mechanism in a human readable form.	and description of the mechanism in user friendly form.

	The output variable sasl_mech_name will hold the IANA registered	The output variable sasl_mech_name will hold the IANA registered
	mechanism name for the GSS-API mechanism, or if none is	mechanism name for the GSS-API mechanism, or if none is
	registered, a mechanism name computed from the OID as described	registered, a mechanism name computed from the OID as described
	in section 3.1 of this document.	in section 3.1 of this document.

	10.1. gss_inquire_saslname_for_mech	10.1. gss_inquire_saslname_for_mech

	The C binding for the GSS_Inquire_SASLname_for_mech call is as	The C binding for the GSS_Inquire_SASLname_for_mech call is as
	follows.	follows.

	skipping to change at page 15, line 22	skipping to change at page 15, line 22
	const gss_OID desired_mech,	const gss_OID desired_mech,
	gss_buffer_t sasl_mech_name,	gss_buffer_t sasl_mech_name,
	gss_buffer_t mech_name,	gss_buffer_t mech_name,
	gss_buffer_t mech_description,	gss_buffer_t mech_description,
	);	);

	Purpose:	Purpose:

	Output the SASL mechanism name of a GSS-API mechanism.	Output the SASL mechanism name of a GSS-API mechanism.
	It also returns a name and description of the mechanism in a	It also returns a name and description of the mechanism in a

	human readable form.	user friendly form.

	Parameters:	Parameters:

	minor_status Integer, modify	minor_status Integer, modify
	Mechanism specific status code.	Mechanism specific status code.

	Function value: GSS status code	Function value: GSS status code

	GSS_S_COMPLETE Successful completion	GSS_S_COMPLETE Successful completion


	skipping to change at page 19, line 21	skipping to change at page 19, line 21
	be used as a GS2 mechanism. To make this easier for SASL	be used as a GS2 mechanism. To make this easier for SASL
	implementations we assign a symbolic SASL mechanism name to the	implementations we assign a symbolic SASL mechanism name to the
	SPNEGO GSS-API mechanism: "SPNEGO". SASL client implementations MUST	SPNEGO GSS-API mechanism: "SPNEGO". SASL client implementations MUST
	NOT choose the SPNEGO mechanism under any circumstances.	NOT choose the SPNEGO mechanism under any circumstances.

	The GSS_C_MA_MECH_NEGO attribute of GSS_Inquire_attrs_for_mech	The GSS_C_MA_MECH_NEGO attribute of GSS_Inquire_attrs_for_mech
	[RFC5587] can be used to identify such mechanisms.	[RFC5587] can be used to identify such mechanisms.

	15. IANA Considerations	15. IANA Considerations


		The IANA is advised to register a SASL mechanism family as per
		[RFC4422] using the following information.

		Subject: Registration of SASL mechanism family GS2-*
		SASL mechanism prefix: GS2-
		Security considerations: RFC [THIS-DOC]
		Published specification: RFC [THIS-DOC]
		Person & email address to contact for further information:
		Simon Josefsson <simon@josefsson.org>
		Intended usage: COMMON
		Owner/Change controller: iesg@ietf.org
		Note: Compare with the GSSAPI and GSS-SPNEGO mechanisms.

	The IANA is advised that SASL mechanism names starting with "GS2-"	The IANA is advised that SASL mechanism names starting with "GS2-"
	are reserved for SASL mechanisms which conform to this document. The	are reserved for SASL mechanisms which conform to this document. The
	IANA is directed to place a statement to that effect in the sasl-	IANA is directed to place a statement to that effect in the sasl-
	mechanisms registry.	mechanisms registry.

	The IANA is further advised that GS2 SASL mechanism names MUST NOT	The IANA is further advised that GS2 SASL mechanism names MUST NOT
	end in "-PLUS" except as a version of another mechanism name simply	end in "-PLUS" except as a version of another mechanism name simply
	suffixed with "-PLUS".	suffixed with "-PLUS".

	The SASL names for the Kerberos V5 GSS-API mechanism [RFC4121]	The SASL names for the Kerberos V5 GSS-API mechanism [RFC4121]
	[RFC1964] used via GS2 SHALL be "GS2-KRB5" and "GS2-KRB5-PLUS".	[RFC1964] used via GS2 SHALL be "GS2-KRB5" and "GS2-KRB5-PLUS".

	The SASL names for the SPNEGO GSS-API mechanism used via GS2 SHALL be	The SASL names for the SPNEGO GSS-API mechanism used via GS2 SHALL be
	"SPNEGO" and "SPNEGO-PLUS". As described in Section 14 the SASL	"SPNEGO" and "SPNEGO-PLUS". As described in Section 14 the SASL
	"SPNEGO" and "SPNEGO-PLUS" MUST NOT be used. These names are	"SPNEGO" and "SPNEGO-PLUS" MUST NOT be used. These names are
	provided as a convenience for SASL library implementors.	provided as a convenience for SASL library implementors.


	Subject: Registration of SASL mechanism GS2-*
	SASL mechanism prefix: GS2-
	Security considerations: RFC [THIS-DOC]
	Published specification: RFC [THIS-DOC]
	Person & email address to contact for further information:
	Simon Josefsson <simon@josefsson.org>
	Intended usage: COMMON
	Owner/Change controller: iesg@ietf.org
	Note: Compare with the GSSAPI and GSS-SPNEGO mechanisms.

	16. Security Considerations	16. Security Considerations

	Security issues are also discussed throughout this memo.	Security issues are also discussed throughout this memo.

	The security provided by a GS2 mechanism depends on the security of	The security provided by a GS2 mechanism depends on the security of
	the GSS-API mechanism. The GS2 mechanism family depends on channel	the GSS-API mechanism. The GS2 mechanism family depends on channel
	binding support, so GSS-API mechanisms that do not support channel	binding support, so GSS-API mechanisms that do not support channel
	binding cannot be successfully used as SASL mechanisms via the GS2	binding cannot be successfully used as SASL mechanisms via the GS2
	bridge.	bridge.


	skipping to change at page 23, line 21	skipping to change at page 23, line 21

	[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security	[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
	(TLS) Protocol Version 1.2", RFC 5246, August 2008.	(TLS) Protocol Version 1.2", RFC 5246, August 2008.

	[RFC5587] Williams, N., "Extended Generic Security Service Mechanism	[RFC5587] Williams, N., "Extended Generic Security Service Mechanism
	Inquiry APIs", RFC 5587, July 2009.	Inquiry APIs", RFC 5587, July 2009.

	[I-D.ietf-sasl-scram]	[I-D.ietf-sasl-scram]
	Menon-Sen, A., Melnikov, A., Newman, C., and N. Williams,	Menon-Sen, A., Melnikov, A., Newman, C., and N. Williams,
	"Salted Challenge Response (SCRAM) SASL Mechanism",	"Salted Challenge Response (SCRAM) SASL Mechanism",

	draft-ietf-sasl-scram-04 (work in progress), July 2009.	draft-ietf-sasl-scram-05 (work in progress), August 2009.

	[I-D.altman-tls-channel-bindings]	[I-D.altman-tls-channel-bindings]
	Altman, J., Williams, N., and L. Zhu, "Channel Bindings	Altman, J., Williams, N., and L. Zhu, "Channel Bindings

	for TLS", draft-altman-tls-channel-bindings-05 (work in	for TLS", draft-altman-tls-channel-bindings-06 (work in
	progress), June 2009.	progress), August 2009.

	[mitm] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle	[mitm] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
	in Tunneled Authentication",	in Tunneled Authentication",
	WWW http://www.saunalahti.fi/~asokan/research/mitm.html.	WWW http://www.saunalahti.fi/~asokan/research/mitm.html.

	Authors' Addresses	Authors' Addresses

	Simon Josefsson	Simon Josefsson
	SJD AB	SJD AB
	Hagagatan 24	Hagagatan 24

End of changes. 10 change blocks.
	19 lines changed or deleted	25 lines changed or added
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/