idnits 2.17.1 

draft-ietf-kitten-gssapi-channel-bindings-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 15.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 163.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 174.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 181.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 187.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (February 25, 2008) is 5904 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	KITTEN WG                                                    N. Williams
3	Internet-Draft                                                       Sun
4	Expires: August 28, 2008                               February 25, 2008

6	  Clarifications and Extensions to the GSS-API for the Use of Channel
7	                                Bindings
8	            draft-ietf-kitten-gssapi-channel-bindings-03.txt

10	Status of this Memo

12	   By submitting this Internet-Draft, each author represents that any
13	   applicable patent or other IPR claims of which he or she is aware
14	   have been or will be disclosed, and any of which he or she becomes
15	   aware will be disclosed, in accordance with Section 6 of BCP 79.

17	   Internet-Drafts are working documents of the Internet Engineering
18	   Task Force (IETF), its areas, and its working groups.  Note that
19	   other groups may also distribute working documents as Internet-
20	   Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference
25	   material or to cite them other than as "work in progress."

27	   The list of current Internet-Drafts can be accessed at
28	   http://www.ietf.org/ietf/1id-abstracts.txt.

30	   The list of Internet-Draft Shadow Directories can be accessed at
31	   http://www.ietf.org/shadow.html.

33	   This Internet-Draft will expire on August 28, 2008.

35	Copyright Notice

37	   Copyright (C) The IETF Trust (2008).

39	Abstract

41	   This document clarifies and generalizes the Generic Security Services
42	   Application Programming Interface (GSS-API) "channel bindings"
43	   facility, and imposes requirements on future GSS-API mechanisms and
44	   programming language bindings of the GSS-API.

46	Table of Contents

48	   1.  Conventions used in this document . . . . . . . . . . . . . . . 3
49	   2.  New Requirements for GSS-API Mechanisms . . . . . . . . . . . . 4
50	   3.  Generic Structure for GSS-API Channel Bindings  . . . . . . . . 5
51	   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
52	   5.  Normative References  . . . . . . . . . . . . . . . . . . . . . 7
53	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8
54	   Intellectual Property and Copyright Statements  . . . . . . . . . . 9

56	1.  Conventions used in this document

58	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
59	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
60	   document are to be interpreted as described in [RFC2119].

62	2.  New Requirements for GSS-API Mechanisms

64	   Given the publication of RFC5056 we now assert that all new GSS-API
65	   mechanisms that support channel binding MUST conform to [RFC5056].

67	3.  Generic Structure for GSS-API Channel Bindings

69	   The base GSS-API v2, update 1 specification [RFC2743] provides a
70	   facility for channel binding.  It models channel bindings as an OCTET
71	   STRING and leaves it to the GSS-API v2, update 1 C-Bindings
72	   specification to specify the structure of the contents of the channel
73	   bindings OCTET STRINGs.  The C-Bindings specification [RFC2744]then
74	   defines, in terms of C, what should have been a generic structure for
75	   channel bindings.  The Kerberos V GSS mechanism [RFC1964]then defines
76	   a method for encoding GSS channel bindings in a way that is
77	   independent of the C-Bindings -- otherwise the mechanism's channel
78	   binding facility would not be useable with other language bindings.

80	   In other words, the structure of GSS channel bindings given in
81	   [RFC2744] is actually generic, rather than specific to the C
82	   programming language.

84	   Here, then, is a generic re-statement of this structure, in pseudo-
85	   ASN.1:

87	                   GSS-CHANNEL-BINDINGS := SEQUENCE {
88	                           initiator-address-type        INTEGER,
89	                           initiator-address        OCTET STRING,
90	                           acceptor-address-type   INTEGER,
91	                           acceptor-address        OCTET STRING,
92	                           application-data        OCTET STRING,
93	                   }

95	   The values for the address fields are described in [RFC2744].

97	   New language-specific bindings of the GSS-API SHOULD specify a
98	   language-specific formulation of this structure.

100	   Where a language binding of the GSS-API models channel bindings as
101	   OCTET STRINGs (or the language's equivalent), then the implementation
102	   MUST assume that the given bindings correspond only to the
103	   application-data field of GSS-CHANNEL-BINDINGS as shown above, rather
104	   than some encoding of GSS-CHANNEL-BINDINGS.

106	   GSS-API mechanisms MAY use the [RFC1964] encoding of channel
107	   bindings.

109	4.  Security Considerations

111	   For general security considerations relating to channel bindings see
112	   [RFC5056].

114	   Language bindings that use OCTET STRING (or equivalent) for channel
115	   bindings will not support the use of network addresses as channel
116	   bindings.  This should not cause any security problems, as the use of
117	   network addresses as channel bindings is not generally secure.
118	   However, it is important that "end-point channel bindings" not be
119	   modelled as network addresses, otherwise such channel bindings may
120	   not be useable with all language bindings of the GSS-API.

122	5.  Normative References

124	   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
125	              RFC 1964, June 1996.

127	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
128	              Requirement Levels", BCP 14, RFC 2119, March 1997.

130	   [RFC2743]  Linn, J., "Generic Security Service Application Program
131	              Interface Version 2, Update 1", RFC 2743, January 2000.

133	   [RFC2744]  Wray, J., "Generic Security Service API Version 2 :
134	              C-bindings", RFC 2744, January 2000.

136	   [RFC5056]  Williams, N., "On the Use of Channel Bindings to Secure
137	              Channels", RFC 5056, November 2007.

139	Author's Address

141	   Nicolas Williams
142	   Sun Microsystems
143	   5300 Riata Trace Ct
144	   Austin, TX  78727
145	   US

147	   Email: Nicolas.Williams@sun.com

149	Full Copyright Statement

151	   Copyright (C) The IETF Trust (2008).

153	   This document is subject to the rights, licenses and restrictions
154	   contained in BCP 78, and except as set forth therein, the authors
155	   retain all their rights.

157	   This document and the information contained herein are provided on an
158	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
159	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
160	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
161	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
162	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
163	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

165	Intellectual Property

167	   The IETF takes no position regarding the validity or scope of any
168	   Intellectual Property Rights or other rights that might be claimed to
169	   pertain to the implementation or use of the technology described in
170	   this document or the extent to which any license under such rights
171	   might or might not be available; nor does it represent that it has
172	   made any independent effort to identify any such rights.  Information
173	   on the procedures with respect to rights in RFC documents can be
174	   found in BCP 78 and BCP 79.

176	   Copies of IPR disclosures made to the IETF Secretariat and any
177	   assurances of licenses to be made available, or the result of an
178	   attempt made to obtain a general license or permission for the use of
179	   such proprietary rights by implementers or users of this
180	   specification can be obtained from the IETF on-line IPR repository at
181	   http://www.ietf.org/ipr.

183	   The IETF invites any interested party to bring to its attention any
184	   copyrights, patents or patent applications, or other proprietary
185	   rights that may cover technology that may be required to implement
186	   this standard.  Please address the information to the IETF at
187	   ietf-ipr@ietf.org.

189	Acknowledgment

191	   Funding for the RFC Editor function is provided by the IETF
192	   Administrative Support Activity (IASA).