idnits 2.17.1 draft-ietf-kitten-gssapi-domain-based-names-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 13. -- Found old boilerplate from RFC 3978, Section 5.5 on line 202. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 179. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 186. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 192. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 208), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 35. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == It seems as if not all pages are separated by form feeds - found 0 form feeds but 10 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2004) is 7223 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2222 (Obsoleted by RFC 4422, RFC 4752) -- Obsolete informational reference (is this intentional?): RFC 3377 (Obsoleted by RFC 4510) Summary: 7 errors (**), 0 flaws (~~), 3 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 NETWORK WORKING GROUP N. Williams 2 Internet-Draft Sun 3 Expires: December 30, 2004 July 2004 5 GSS-API Domain-Based Service Names and Name Type 6 draft-ietf-kitten-gssapi-domain-based-names-00.txt 8 Status of this Memo 10 By submitting this Internet-Draft, I certify that any applicable 11 patent or other IPR claims of which I am aware have been disclosed, 12 and any of which I become aware will be disclosed, in accordance with 13 RFC 3668. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as 18 Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 This Internet-Draft will expire on December 30, 2004. 33 Copyright Notice 35 Copyright (C) The Internet Society (2004). All Rights Reserved. 37 Abstract 39 This document describes domainname-based service principal names and 40 the corresponding name type for the Generic Security Service 41 Application Programming Interface (GSS-API). 43 Domain-based service names are similar to host-based service names, 44 but using a domain name (not necessarily and Internat domain name) 45 instead of or in addition to a hostname. The primary purpose of 46 domain-based service names is to provide a way to name clustered 47 services after the domain which they service, thereby allowing their 48 clients to authorize the service's servers based on authentication of 49 their names. 51 Table of Contents 53 1. Conventions used in this document . . . . . . . . . . . . . . 3 54 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 55 3. Name Type OID and Symbolic Name . . . . . . . . . . . . . . . 5 56 4. Query and Display Syntaxes . . . . . . . . . . . . . . . . . . 6 57 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 59 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 60 7.1 Normative . . . . . . . . . . . . . . . . . . . . . . . . . . 9 61 7.2 Informative . . . . . . . . . . . . . . . . . . . . . . . . . 9 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9 63 Intellectual Property and Copyright Statements . . . . . . . . 10 65 1. Conventions used in this document 67 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 68 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 69 document are to be interpreted as described in [RFC2119]. 71 2. Introduction 73 The use of hostbased principal names for domain-wide services 74 presents the problem of how to distinguish between an instance of a 75 hostbased service that is authorized to respond for a domain and one 76 that isn't. 78 Consider LDAP. LDAP [RFC3377] with SASL [RFC2222] and the Kerberos V 79 mechanism [RFC1964] for the GSS-API [RFC2743] uses a hostbased 80 principal with a service name of "ldap", a reasonable approach, 81 provided there is only one logical LDAP directory in a Kerberos 82 realm's domain, and that all ldap servers in that realm serve that 83 one LDAP directory. If there were other LDAP directories, then 84 clients could not tell which service is authorized to serve which 85 directory, not without assuming a secure method for finding LDAP 86 servers (e.g., DNSSEC). This is a significant, and oft-unstated 87 restriction on users of LDAP. 89 Domain based names can eliminate this problem by allowing LDAP 90 service names to indicate which LDAP directory they are authorized to 91 serve. 93 A domain-based name consists of three required elements: 94 o a service name 95 o a domain name 96 o a hostname 98 3. Name Type OID and Symbolic Name 100 The new name type has an OID of 101 [NOTE: OID assignment to be made with IANA.] 103 {iso(1) org(3) dod(6) internet(1) security(5) nametypes(6) 104 gss-domain-based(5)} 106 The recommended symbolic name for this GSS-API name type is 107 "GSS_C_NT_DOMAINBASED_SERVICE". 109 4. Query and Display Syntaxes 111 There is a single name syntax for domain-based names. 113 The syntax is: 114 domain-based-name := 115 | '@' '@' 117 Note that for Internet domain names the trailing '.' is not and MUST 118 NOT be included in the domain name (or hostname) parts of the display 119 form GSS-API domain-based MNs. 121 5. Examples 123 o ldap@example.tld@ds1.example.tld 124 o kadmin@example.tld@kdc1.example.tld 126 6. Security Considerations 128 Use of GSS-API domain-based names may not be negotiable by some 129 GSS-API mechanisms, and some acceptors may not support GSS-API 130 domain-based names. In such cases initiators are left to fallback on 131 the use of hostbased names, in which case the initiators MUST also 132 verify that the acceptor's hostbased name is authorized to provide 133 the given service for the domain that the initiator had wanted. 135 The above security consideration also applies to all GSS-API 136 initiators who lack support for domain-based service names. 138 7. References 140 7.1 Normative 142 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 143 Requirement Levels", BCP 14, RFC 2119, March 1997. 145 [RFC2743] Linn, J., "Generic Security Service Application Program 146 Interface Version 2, Update 1", RFC 2743, January 2000. 148 7.2 Informative 150 [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 151 1964, June 1996. 153 [RFC2222] Myers, J., "Simple Authentication and Security Layer 154 (SASL)", RFC 2222, October 1997. 156 [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access 157 Protocol (v3): Technical Specification", RFC 3377, 158 September 2002. 160 Author's Address 162 Nicolas Williams 163 Sun Microsystems 164 5300 Riata Trace Ct 165 Austin, TX 78727 166 US 168 EMail: Nicolas.Williams@sun.com 170 Intellectual Property Statement 172 The IETF takes no position regarding the validity or scope of any 173 Intellectual Property Rights or other rights that might be claimed to 174 pertain to the implementation or use of the technology described in 175 this document or the extent to which any license under such rights 176 might or might not be available; nor does it represent that it has 177 made any independent effort to identify any such rights. Information 178 on the procedures with respect to rights in RFC documents can be 179 found in BCP 78 and BCP 79. 181 Copies of IPR disclosures made to the IETF Secretariat and any 182 assurances of licenses to be made available, or the result of an 183 attempt made to obtain a general license or permission for the use of 184 such proprietary rights by implementers or users of this 185 specification can be obtained from the IETF on-line IPR repository at 186 http://www.ietf.org/ipr. 188 The IETF invites any interested party to bring to its attention any 189 copyrights, patents or patent applications, or other proprietary 190 rights that may cover technology that may be required to implement 191 this standard. Please address the information to the IETF at 192 ietf-ipr@ietf.org. 194 Disclaimer of Validity 196 This document and the information contained herein are provided on an 197 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 198 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 199 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 200 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 201 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 202 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 204 Copyright Statement 206 Copyright (C) The Internet Society (2004). This document is subject 207 to the rights, licenses and restrictions contained in BCP 78, and 208 except as set forth therein, the authors retain all their rights. 210 Acknowledgment 212 Funding for the RFC Editor function is currently provided by the 213 Internet Society.