| draft-ietf-sasl-gs2.txt | rfc5801.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Internet Engineering Task Force (IETF) S. Josefsson | |||
| Internet-Draft SJD AB | Request for Comments: 5801 SJD AB | |||
| Intended status: Standards Track N. Williams | Category: Standards Track N. Williams | |||
| Expires: January 14, 2011 Oracle | ISSN: 2070-1721 Oracle | |||
| July 13, 2010 | July 2010 | |||
| Using Generic Security Service Application Program Interface (GSS-API) | Using Generic Security Service Application Program Interface (GSS-API) | |||
| Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 | Mechanisms in Simple Authentication and Security Layer (SASL): | |||
| Mechanism Family | The GS2 Mechanism Family | |||
| draft-ietf-sasl-gs2-21 | ||||
| Abstract | Abstract | |||
| This document describes how to use a Generic Security Service | This document describes how to use a Generic Security Service | |||
| Application Program Interface (GSS-API) mechanism in the the Simple | Application Program Interface (GSS-API) mechanism in the Simple | |||
| Authentication and Security Layer (SASL) framework. This is done by | Authentication and Security Layer (SASL) framework. This is done by | |||
| defining a new SASL mechanism family, called GS2. This mechanism | defining a new SASL mechanism family, called GS2. This mechanism | |||
| family offers a number of improvements over the previous "SASL/ | family offers a number of improvements over the previous "SASL/ | |||
| GSSAPI" mechanism: it is more general, uses fewer messages for the | GSSAPI" mechanism: it is more general, uses fewer messages for the | |||
| authentication phase in some cases, and supports negotiable use of | authentication phase in some cases, and supports negotiable use of | |||
| channel binding. Only GSS-API mechanisms that support channel | channel binding. Only GSS-API mechanisms that support channel | |||
| binding and mutual authentication are supported. | binding and mutual authentication are supported. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | ||||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | This is an Internet Standards Track document. | |||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 5741. | ||||
| This Internet-Draft will expire on January 14, 2011. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| http://www.rfc-editor.org/info/rfc5801. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 7 | skipping to change at page 3, line 7 | |||
| modifications of such material outside the IETF Standards Process. | modifications of such material outside the IETF Standards Process. | |||
| Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction ....................................................4 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 5 | 2. Conventions Used in This Document ...............................5 | |||
| 3. Mechanism Name . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Mechanism Name ..................................................5 | |||
| 3.1. Generating SASL Mechanism Names from GSS-API OIDs . . . . 5 | 3.1. Generating SASL Mechanism Names from GSS-API OIDs ..........5 | |||
| 3.2. Computing Mechanism Names Manually . . . . . . . . . . . . 6 | 3.2. Computing Mechanism Names Manually .........................6 | |||
| 3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.3. Examples ...................................................6 | |||
| 3.4. Grandfathered Mechanism Names . . . . . . . . . . . . . . 8 | 3.4. Grandfathered Mechanism Names ..............................7 | |||
| 4. SASL Authentication Exchange Message Format . . . . . . . . . 8 | 4. SASL Authentication Exchange Message Format .....................8 | |||
| 5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Channel Bindings ...............................................10 | |||
| 5.1. Content of GSS-CHANNEL-BINDINGS Structure . . . . . . . . 11 | 5.1. Content of GSS-CHANNEL-BINDINGS Structure .................11 | |||
| 5.2. Default Channel Binding . . . . . . . . . . . . . . . . . 11 | 5.2. Default Channel Binding ...................................12 | |||
| 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 6. Examples .......................................................12 | |||
| 7. Authentication Conditions . . . . . . . . . . . . . . . . . . 14 | 7. Authentication Conditions ......................................14 | |||
| 8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 14 | 8. GSS-API Parameters .............................................15 | |||
| 9. Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 9. Naming .........................................................15 | |||
| 10. GSS_Inquire_SASLname_for_mech Call . . . . . . . . . . . . . . 15 | 10. GSS_Inquire_SASLname_for_mech Call ............................15 | |||
| 10.1. gss_inquire_saslname_for_mech . . . . . . . . . . . . . . 17 | 10.1. gss_inquire_saslname_for_mech ............................16 | |||
| 11. GSS_Inquire_mech_for_SASLname Call . . . . . . . . . . . . . . 19 | 11. GSS_Inquire_mech_for_SASLname Call ............................18 | |||
| 11.1. gss_inquire_mech_for_saslname . . . . . . . . . . . . . . 20 | 11.1. gss_inquire_mech_for_saslname ............................19 | |||
| 12. Security Layers . . . . . . . . . . . . . . . . . . . . . . . 20 | 12. Security Layers ...............................................20 | |||
| 13. Interoperability with the SASL GSSAPI Mechanism . . . . . . . 21 | 13. Interoperability with the SASL GSSAPI Mechanism ...............20 | |||
| 13.1. The Interoperability Problem . . . . . . . . . . . . . . . 21 | 13.1. The Interoperability Problem .............................20 | |||
| 13.2. Resolving the Problem . . . . . . . . . . . . . . . . . . 21 | 13.2. Resolving the Problem ....................................20 | |||
| 13.3. Additional Recommendations . . . . . . . . . . . . . . . . 21 | 13.3. Additional Recommendations ...............................20 | |||
| 14. GSS-API Mechanisms That Negotiate Other Mechanisms . . . . . . 21 | 14. GSS-API Mechanisms That Negotiate Other Mechanisms ............21 | |||
| 14.1. The Interoperability Problem . . . . . . . . . . . . . . . 22 | 14.1. The Interoperability Problem .............................21 | |||
| 14.2. Security Problem . . . . . . . . . . . . . . . . . . . . . 22 | 14.2. Security Problem .........................................21 | |||
| 14.3. Resolving the Problems . . . . . . . . . . . . . . . . . . 22 | 14.3. Resolving the Problems ...................................21 | |||
| 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 15. IANA Considerations ...........................................22 | |||
| 16. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | 16. Security Considerations .......................................22 | |||
| 17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 | 17. Acknowledgements ..............................................24 | |||
| 18. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 | 18. References ....................................................24 | |||
| 18.1. Normative References . . . . . . . . . . . . . . . . . . . 25 | 18.1. Normative References .....................................24 | |||
| 18.2. Informative References . . . . . . . . . . . . . . . . . . 25 | 18.2. Informative References ...................................25 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 | ||||
| 1. Introduction | 1. Introduction | |||
| Generic Security Service Application Program Interface (GSS-API) | Generic Security Service Application Program Interface (GSS-API) | |||
| [RFC2743] is a framework that provides security services to | [RFC2743] is a framework that provides security services to | |||
| applications using a variety of authentication mechanisms. Simple | applications using a variety of authentication mechanisms. Simple | |||
| Authentication and Security Layer (SASL) [RFC4422] is a framework to | Authentication and Security Layer (SASL) [RFC4422] is a framework to | |||
| provide authentication and security layers for connection-based | provide authentication and security layers for connection-based | |||
| protocols, also using a variety of mechanisms. This document | protocols, also using a variety of mechanisms. This document | |||
| describes how to use a GSS-API mechanism as though it were a SASL | describes how to use a GSS-API mechanism as though it were a SASL | |||
| skipping to change at page 24, line 35 | skipping to change at page 24, line 8 | |||
| The security considerations of SASL [RFC4422], the GSS-API [RFC2743], | The security considerations of SASL [RFC4422], the GSS-API [RFC2743], | |||
| channel binding [RFC5056], any external channels (such as TLS, | channel binding [RFC5056], any external channels (such as TLS, | |||
| [RFC5246], channel binding types (see the IANA channel binding type | [RFC5246], channel binding types (see the IANA channel binding type | |||
| registry), and GSS-API mechanisms (such as the Kerberos V5 mechanism | registry), and GSS-API mechanisms (such as the Kerberos V5 mechanism | |||
| [RFC4121] [RFC1964]), also apply. | [RFC4121] [RFC1964]), also apply. | |||
| 17. Acknowledgements | 17. Acknowledgements | |||
| The history of GS2 can be traced to the "GSSAPI" mechanism originally | The history of GS2 can be traced to the "GSSAPI" mechanism originally | |||
| specified by RFC 2222. This document was derived from | specified by RFC 2222. This document was derived from [SASL-GSSAPI], | |||
| draft-ietf-sasl-gssapi-02 which was prepared by Alexey Melnikov with | which was prepared by Alexey Melnikov with significant contributions | |||
| significant contributions from John G. Myers, although the majority | from John G. Myers, although the majority of this document has been | |||
| of this document has been rewritten by the current authors. | rewritten by the current authors. | |||
| Contributions of many members of the SASL mailing list are gratefully | Contributions of many members of the SASL mailing list are gratefully | |||
| acknowledged. In particular, ideas and feedback from Pasi Eronen, | acknowledged. In particular, ideas and feedback from Pasi Eronen, | |||
| Sam Hartman, Jeffrey Hutzelman, Alexey Melnikov, and Tom Yu improved | Sam Hartman, Jeffrey Hutzelman, Alexey Melnikov, and Tom Yu improved | |||
| the document and the protocol. Other suggestions to the documents | the document and the protocol. Other suggestions to the documents | |||
| were made by Spencer Dawkins, Ralph Droms, Adrian Farrel, Robert | were made by Spencer Dawkins, Ralph Droms, Adrian Farrel, Robert | |||
| Sparks, and Glen Zorn. | Sparks, and Glen Zorn. | |||
| 18. References | 18. References | |||
| skipping to change at page 25, line 39 | skipping to change at page 25, line 11 | |||
| [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, January 2008. | |||
| [RFC5554] Williams, N., "Clarifications and Extensions to the | [RFC5554] Williams, N., "Clarifications and Extensions to the | |||
| Generic Security Service Application Program Interface | Generic Security Service Application Program Interface | |||
| (GSS-API) for the Use of Channel Bindings", RFC 5554, | (GSS-API) for the Use of Channel Bindings", RFC 5554, | |||
| May 2009. | May 2009. | |||
| [CCITT.X690.2002] | [CCITT.X690.2002] | |||
| International International Telephone and Telegraph | International Telephone and Telegraph Consultative | |||
| Consultative Committee, "ASN.1 encoding rules: | Committee, "ASN.1 encoding rules: Specification of basic | |||
| Specification of basic encoding Rules (BER), Canonical | encoding Rules (BER), Canonical encoding rules (CER) and | |||
| encoding rules (CER) and Distinguished encoding rules | Distinguished encoding rules (DER)", CCITT Recommendation | |||
| (DER)", CCITT Recommendation X.690, July 2002. | X.690, July 2002. | |||
| [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings | [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings | |||
| for TLS", RFC 5929, July 2010. | for TLS", RFC 5929, July 2010. | |||
| 18.2. Informative References | 18.2. Informative References | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, November 1987. | STD 13, RFC 1034, November 1987. | |||
| [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", | [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", | |||
| skipping to change at page 26, line 41 | skipping to change at page 26, line 15 | |||
| [RFC4752] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple | [RFC4752] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple | |||
| Authentication and Security Layer (SASL) Mechanism", | Authentication and Security Layer (SASL) Mechanism", | |||
| RFC 4752, November 2006. | RFC 4752, November 2006. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5587] Williams, N., "Extended Generic Security Service Mechanism | [RFC5587] Williams, N., "Extended Generic Security Service Mechanism | |||
| Inquiry APIs", RFC 5587, July 2009. | Inquiry APIs", RFC 5587, July 2009. | |||
| [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, | [RFC5802] Menon-Sen, A., Melnikov, A., Newman, C., and N. Williams, | |||
| "Salted Challenge Response Authentication Mechanism | "Salted Challenge Response Authentication Mechanism | |||
| (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010. | (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010. | |||
| [MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle | [MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle | |||
| in Tunnelled Authentication", | in Tunnelled Authentication", in 11th Security | |||
| WWW http://www.saunalahti.fi/~asokan/research/mitm.html. | Protocols Workshop, 2002. | |||
| [SASL-GSSAPI] | ||||
| Melnikov, A., "The Kerberos V5 ("GSSAPI") SASL mechanism", | ||||
| Work in Progress, March 2005. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Simon Josefsson | Simon Josefsson | |||
| SJD AB | SJD AB | |||
| Hagagatan 24 | Hagagatan 24 | |||
| Stockholm 113 47 | Stockholm 113 47 | |||
| SE | SE | |||
| Email: simon@josefsson.org | EMail: simon@josefsson.org | |||
| URI: http://josefsson.org/ | URI: http://josefsson.org/ | |||
| Nicolas Williams | Nicolas Williams | |||
| Oracle | Oracle | |||
| 5300 Riata Trace Ct | 5300 Riata Trace Ct | |||
| Austin, TX 78727 | Austin, TX 78727 | |||
| USA | USA | |||
| Email: Nicolas.Williams@oracle.com | EMail: Nicolas.Williams@oracle.com | |||
| End of changes. 14 change blocks. | ||||
| 70 lines changed or deleted | 69 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||