idnits 2.17.1 draft-ietf-kitten-gssapi-channel-bindings-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 186. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 197. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 204. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 210. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 23, 2008) is 5694 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 KITTEN WG N. Williams 3 Internet-Draft Sun 4 Intended status: Standards Track September 23, 2008 5 Expires: March 27, 2009 7 Clarifications and Extensions to the GSS-API for the Use of Channel 8 Bindings 9 draft-ietf-kitten-gssapi-channel-bindings-05.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on March 27, 2009. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 This document clarifies and generalizes the Generic Security Services 43 Application Programming Interface (GSS-API) "channel bindings" 44 facility, and imposes requirements on future GSS-API mechanisms and 45 programming language bindings of the GSS-API. 47 Table of Contents 49 1. Conventions used in this document . . . . . . . . . . . . . . 3 50 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 3. New Requirements for GSS-API Mechanisms . . . . . . . . . . . 5 52 4. Generic Structure for GSS-API Channel Bindings . . . . . . . . 6 53 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 54 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 55 7. Normative References . . . . . . . . . . . . . . . . . . . . . 9 56 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 57 Intellectual Property and Copyright Statements . . . . . . . . . . 11 59 1. Conventions used in this document 61 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 62 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 63 document are to be interpreted as described in [RFC2119]. 65 2. Introduction 67 The base GSS-API v2, update 1 specification [RFC2743] provides a 68 facility for channel binding (see also [RFC5056]), but its treatment 69 was incomplete. The C-bindings of the GSS-API [RFC2744] expanded a 70 little on this facility in what should have been a generic way, but 71 was a C-specific way, and still, the treatment of this facility was 72 incomplete. 74 This document clarifies the GSS-API's channel binding facility and 75 generalizes the parts of it that are specified in the C-bindings 76 document but which should have been generic from the first. 78 3. New Requirements for GSS-API Mechanisms 80 Given the publication of RFC5056 we now assert that all new GSS-API 81 mechanisms that support channel binding MUST conform to [RFC5056]. 83 4. Generic Structure for GSS-API Channel Bindings 85 The base GSS-API v2, update 1 specification [RFC2743] provides a 86 facility for channel binding. It models channel bindings as an OCTET 87 STRING and leaves it to the GSS-API v2, update 1 C-Bindings 88 specification to specify the structure of the contents of the channel 89 bindings OCTET STRINGs. The C-Bindings specification [RFC2744] then 90 defines, in terms of C, what should have been a generic structure for 91 channel bindings. The Kerberos V GSS mechanism [RFC4121] also 92 defines a method for encoding GSS channel bindings in a way that is 93 independent of the C-Bindings -- otherwise the mechanism's channel 94 binding facility would not be useable with other language bindings. 96 In other words, the structure of GSS channel bindings given in 97 [RFC2744] is actually generic, rather than specific to the C 98 programming language. 100 Here, then, is a generic re-statement of this structure, in pseudo- 101 ASN.1: 103 GSS-CHANNEL-BINDINGS ::= SEQUENCE { 104 initiator-address-type INTEGER, -- See RFC2744 105 initiator-address OCTET STRING, -- See RFC2744 106 acceptor-address-type INTEGER, -- See RFC2744 107 acceptor-address OCTET STRING, -- See RFC2744 108 application-data OCTET STRING, -- See RFC5056 109 } 111 The values for the address fields are described in [RFC2744]. 113 New language-specific bindings of the GSS-API SHOULD specify a 114 language-specific formulation of this structure. 116 Where a language binding of the GSS-API models channel bindings as 117 OCTET STRINGs (or the language's equivalent), then the implementation 118 MUST assume that the given bindings correspond only to the 119 application-data field of GSS-CHANNEL-BINDINGS as shown above, rather 120 than some encoding of GSS-CHANNEL-BINDINGS. 122 As mentioned above, [RFC4121] describes an encoding of the above GSS- 123 CHANNEL-BINDINGS structure, and then hashes that encoding. Other 124 GSS-API mechanisms are free to use that encoding. 126 5. IANA Considerations 128 There are no IANA considerations in this document. 130 6. Security Considerations 132 For general security considerations relating to channel bindings see 133 [RFC5056]. 135 Language bindings that use OCTET STRING (or equivalent) for channel 136 bindings will not support the use of network addresses as channel 137 bindings. This should not cause any security problems, as the use of 138 network addresses as channel bindings is not generally secure. 139 However, it is important that "end-point channel bindings" not be 140 modelled as network addresses, otherwise such channel bindings may 141 not be useable with all language bindings of the GSS-API. 143 7. Normative References 145 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 146 Requirement Levels", BCP 14, RFC 2119, March 1997. 148 [RFC2743] Linn, J., "Generic Security Service Application Program 149 Interface Version 2, Update 1", RFC 2743, January 2000. 151 [RFC2744] Wray, J., "Generic Security Service API Version 2 : 152 C-bindings", RFC 2744, January 2000. 154 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 155 Version 5 Generic Security Service Application Program 156 Interface (GSS-API) Mechanism: Version 2", RFC 4121, 157 July 2005. 159 [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure 160 Channels", RFC 5056, November 2007. 162 Author's Address 164 Nicolas Williams 165 Sun Microsystems 166 5300 Riata Trace Ct 167 Austin, TX 78727 168 US 170 Email: Nicolas.Williams@sun.com 172 Full Copyright Statement 174 Copyright (C) The IETF Trust (2008). 176 This document is subject to the rights, licenses and restrictions 177 contained in BCP 78, and except as set forth therein, the authors 178 retain all their rights. 180 This document and the information contained herein are provided on an 181 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 182 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 183 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 184 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 185 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 186 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 188 Intellectual Property 190 The IETF takes no position regarding the validity or scope of any 191 Intellectual Property Rights or other rights that might be claimed to 192 pertain to the implementation or use of the technology described in 193 this document or the extent to which any license under such rights 194 might or might not be available; nor does it represent that it has 195 made any independent effort to identify any such rights. Information 196 on the procedures with respect to rights in RFC documents can be 197 found in BCP 78 and BCP 79. 199 Copies of IPR disclosures made to the IETF Secretariat and any 200 assurances of licenses to be made available, or the result of an 201 attempt made to obtain a general license or permission for the use of 202 such proprietary rights by implementers or users of this 203 specification can be obtained from the IETF on-line IPR repository at 204 http://www.ietf.org/ipr. 206 The IETF invites any interested party to bring to its attention any 207 copyrights, patents or patent applications, or other proprietary 208 rights that may cover technology that may be required to implement 209 this standard. Please address the information to the IETF at 210 ietf-ipr@ietf.org. 212 Acknowledgment 214 Funding for the RFC Editor function is provided by the IETF 215 Administrative Support Activity (IASA).