idnits 2.17.1 draft-ietf-kitten-gssapi-extensions-iana-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 16, 2013) is 3842 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 2853 (Obsoleted by RFC 5653) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP N. Williams 3 Internet-Draft Cryptonector LLC 4 Intended status: Standards Track A. Melnikov 5 Expires: April 19, 2014 Isode Ltd 6 October 16, 2013 8 Namespace Considerations and Registries for GSS-API Extensions 9 draft-ietf-kitten-gssapi-extensions-iana-08.txt 11 Abstract 13 This document describes the ways in which the GSS-API may be extended 14 and directs the creation of an IANA registry for various GSS-API 15 namespaces. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on April 19, 2014. 34 Copyright Notice 36 Copyright (c) 2013 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Conventions used in this document . . . . . . . . . . . . . . 2 52 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 3. Extensions to the GSS-API . . . . . . . . . . . . . . . . . . 2 54 4. Generic GSS-API Namespaces . . . . . . . . . . . . . . . . . 3 55 5. Language Binding-Specific GSS-API Namespaces . . . . . . . . 3 56 6. Extension-Specific GSS-API Namespaces . . . . . . . . . . . . 3 57 7. Registration Form . . . . . . . . . . . . . . . . . . . . . . 4 58 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 59 8.1. Initial Namespace Registrations . . . . . . . . . . . . . . 7 60 8.2. Registration Maintenance Guidelines . . . . . . . . . . . . 7 61 8.2.1. Sub-Namespace Symbol Pattern Matching . . . . . . . . . . 7 62 8.2.2. Expert Reviews of Individual Submissions . . . . . 8 63 8.2.3. Change Control . . . . . . . . . . . . . . . . . . . . . 9 64 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 65 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 66 10.1. Normative References . . . . . . . . . . . . . . . . . . . 10 67 10.2. Informative References . . . . . . . . . . . . . . . . . . 10 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 70 1. Conventions used in this document 72 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 73 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 74 document are to be interpreted as described in [RFC2119]. 76 2. Introduction 78 There is a need for private-use and mechanism-specific extensions to 79 the Generic Security Services Application Programming Interface (GSS- 80 API). As such extensions are designed and standardized (or not), 81 both at the IETF and elsewhere, there is a non-trivial risk of 82 namespace pollution and conflicts. To avoid this we set out 83 guidelines for extending the GSS-API and direct the creation of an 84 IANA registry for GSS-API namespaces. 86 Registrations of individual items and sub-namespaces are allowed. 87 Each sub-namespace may provide different rules for registration, 88 e.g., for mechanism-specific and private-use extensions. 90 3. Extensions to the GSS-API 92 Extensions to the GSS-API can be categorized as follows: 94 o Abstract API extensions 96 o Implementation-specific 97 o Mechanism-specific 99 o Language binding-specific 101 Extensions to the GSS-API may be purely semantic, without effect on 102 the GSS-API's namespaces. Or they may introduce new functions, 103 constants, types, etc...; these clearly affect the GSS-API 104 namespaces. 106 Extensions that affect the GSS-API namespaces should be registered 107 with the IANA as described herein. 109 4. Generic GSS-API Namespaces 111 The abstract API namespaces for the GSS-API are: 113 o Type names 115 o Function names 117 o Constant names for various types 119 o Constant values for various types 121 o Name types (OID, type name and syntaxes) 123 Additionally we have namespaces associates with the OBJECT IDENTIFIER 124 (OID) type. The IANA already maintains a registry of such OIDs: 126 o Mechanism OIDs 128 o Name Type OIDs 130 5. Language Binding-Specific GSS-API Namespaces 132 Language binding specific namespaces include, among others: 134 o Header/interface module names 136 o Object classes and/or types 138 o Methods and/or functions 140 o Constant names 142 o Constant values 144 6. Extension-Specific GSS-API Namespaces 145 Extensions to the GSS-API may create additional namespaces. See 146 Section 8.2. 148 7. Registration Form 150 Registrations for GSS-API namespaces SHALL take the following form: 152 +----------------+-------------------------+------------------------+ 153 | Registration | Possible Values | Description | 154 | Field | | | 155 +----------------+-------------------------+------------------------+ 156 | Bindings | 'Generic', | Indicates the name of | 157 | | 'C-bindings', 'Java', | the programming | 158 | | 'C#', | registration involves, | 160 | | | or, if 'Generic', that | 161 | | | this is an entry for | 162 | | | the generic abstract | 163 | | | GSS-API (i.e., not | 164 | | | specific to any | 165 | | | programming language). | 166 +----------------+-------------------------+------------------------+ 167 | Registration | 'Instance', 'Sub- | Indicates whether this | 168 | type | Namespace' | entry reserves a given | 169 | | | symbol name (and | 170 | | | possibly, constant | 171 | | | value), or whether it | 172 | | | reserves an entire | 173 | | | sub-namespace (the | 174 | | | name is a pattern) or | 175 | | | constant value range. | 176 +----------------+-------------------------+------------------------+ 177 | Object Type | defined by the | Indicates the type of | 178 | | binding language (for | the object whose | 179 | | example 'Data-Type', | symbolic name or | 180 | | 'Function', 'Method', | constant value this | 181 | | 'Integer', 'String', | entry registers. The | 182 | | 'OID', 'Context-Flag', | possible values of | 183 | | 'Name-Type', 'Macro', | this field depend on | 184 | | 'Header-File-Name', | the programming | 185 | | 'Module-Name', 'Class') | language in question, | 186 | | | therefore they are not | 187 | | | all specified here. | 188 +----------------+-------------------------+------------------------+ 189 | Symbol | | or symbol sub- | 191 | | | namespace being | 192 | | | registered. See | 193 | | | Section 8.2.1 | 194 +----------------+-------------------------+------------------------+ 195 | Binding of | | language binding of | 198 | | | the GSS-API, then this | 199 | | | names the abstract API | 200 | | | element of which it is | 201 | | | a binding (OPTIONAL). | 202 +----------------+-------------------------+------------------------+ 203 | Constant | or | The value of the | 204 | Value/Range | | constant named by the | 205 | | | . | 206 | | | This field is present | 207 | | | only for Instance and | 208 | | | Sub-namespace | 209 | | | registrations of | 210 | | | Constant object types. | 211 +----------------+-------------------------+------------------------+ 212 | Description | | Description of the | 213 | | | registration. | 214 | | | Multiple instances of | 215 | | | this field may result | 216 | | | (see Section 8.2.3). | 217 +----------------+-------------------------+------------------------+ 218 | Registration | to an IANA | Describes the rules | 219 | Rules | registration Policy | for allocation of | 220 | | defined in [RFC5226] | items that fall in | 221 | | (or an RFC that updates | this sub-namespace, | 222 | | it), for instance 'IESG | for entries with | 223 | | Approval', 'Expert | Registration Type of | 224 | | Review', 'First Come | Sub-namespace | 225 | | First Served', 'Private | (OPTIONAL). For | 226 | | Use'. | private use sub- | 227 | | | namespaces the | 228 | | | submitter MUST provide | 229 | | | the e-mail address of | 230 | | | a responsible contact. | 231 | | | If this field is not | 232 | | | specified for a sub- | 233 | | | namespace, the default | 234 | | | registration rules | 235 | | | specified in Section | 236 | | | 8.2 apply. | 237 +----------------+-------------------------+------------------------+ 238 | Reference | | Reference to a | 239 | | | document that | 240 | | | describes the | 241 | | | registration, if any | 242 | | | (OPTIONAL). Multiple | 243 | | | instances of this | 244 | | | field are allowed, | 245 | | | with one reference | 246 | | | each. | 247 +----------------+-------------------------+------------------------+ 248 | Expert | | instances of this | 251 | | | field are allowed, | 252 | | | with one expert | 253 | | | reviewer per-instance. | 254 | | | Leave this field blank | 255 | | | when requesting a | 256 | | | registration. It will | 257 | | | be filled in by the | 258 | | | Expert who reviews the | 259 | | | registration. | 260 +----------------+-------------------------+------------------------+ 261 | Expert Review | | request that some | 263 | | | comments be included | 264 | | | with the registration, | 265 | | | e.g., regarding | 266 | | | security | 267 | | | considerations of the | 268 | | | registered extension. | 269 +----------------+-------------------------+------------------------+ 270 | Status | 'Registered' or | Status of the | 271 | | 'Obsoleted' | registration. | 272 +----------------+-------------------------+------------------------+ 273 | Obsoleting | | Reference to a | 274 | Reference | | document, if any, that | 275 | | | obsoletes this | 276 | | | registration. | 277 | | | Multiple instances of | 278 | | | this field are | 279 | | | allowed, with one | 280 | | | reference each. | 281 | | | (OPTIONAL) | 282 +----------------+-------------------------+------------------------+ 284 The IANA should create a single GSS-API namespace registry, or 285 multiple registries, one for symbolic names and one for constant 286 values, and/or it may create a registry per-programming language, at 287 its convenience. 289 Entries in these registries should consist of all the fields from 290 their corresponding registration entries. 292 Entries should be sorted by: programming language, registration type, 293 object type, and symbol name/pattern. 295 8. IANA Considerations 297 This document deals with IANA considerations throughout. 298 Specifically it creates a single registry of various kinds of things, 299 though the IANA may instead create multiple registries, each for one 300 of those kinds of things. Of particular interest may be that IANA 301 will now be the registration authority for the GSS-API name type OID 302 space. 304 8.1. Initial Namespace Registrations 306 Initial registry content corresponding to the items defined in 307 [RFC2743], [RFC2744], [RFC2853], [RFC1964] and [RFC4121] and others 308 will be supplied during the IANA review portion of the RFC publishing 309 process. [[Note to RFC Editor: Delete the following sentence before 310 publication:]] The KITTEN WG chairs MUST indicate that such content 311 has been reviewed by the WG and that there is WG consensus that the 312 entries are in agreement with those RFCs. 314 8.2. Registration Maintenance Guidelines 316 Standards-Track RFCs can create new items with any non-conflicting 317 Symbol Name/Prefix value for this registry by virtue of IESG approval 318 to publish as a Standards-Track RFC -- that is, without additional 319 expert review. 321 Standards-Track RFCs can mark existing entries as obsolete, and can 322 even create conflicting entries if explicitly stated (the IESG, of 323 course, should review conflicts carefully, and may reject them). 325 IANA shall also consider submissions from individuals, and via 326 Informational and Experimental RFCs, subject to Expert Review. IANA 327 SHALL allow such registrations if a) they are not conflicting, b) 328 provided that the registration is for object types other than 329 Context-Flags, and c) subject to expert review. Guidelines for 330 expert reviews are given below. 332 8.2.1. Sub-Namespace Symbol Pattern Matching 334 Sub-namespace registrations must provide a pattern for matching 335 symbols for which the sub-namespace's registration rules apply. The 336 pattern consists of a string with the following special tokens: 338 o '*', meaning "match any string." 340 o "%m", meaning "match any mechanism family short-hand name." 342 o "%i", meaning "match any implementor vanity short-hand name." 344 For example, "GSS_%m_*" matches "GSS_krb5_foo" since "krb5" is a 345 common short-hand for the Kerberos V GSS-API mechanism [RFC1964]. 346 But "GSS_%m_*" does not match "GSS_foo_bar" unless "foo" is asserted 347 to be a short-hand for some mechanism. 349 8.2.2. Expert Reviews of Individual Submissions 351 [[The following paragraph should be deleted from the document before 352 publication, as it will not age well. It should be moved to the 353 shepherding write-up.]] 355 Expert review selection SHALL be done as follows. If, at the time 356 that the IANA receives an individual submission for registration in 357 this registry, there are any IETF Working Groups chartered to produce 358 GSS-API-related documents, then the IANA SHALL ask the chairs of such 359 WGs to be expert reviewers or to name one. If there are no such WGs 360 at that time, then the IANA SHALL ask past chairs of the KITTEN WG 361 and the author/editor of this RFC to act as expert reviewers or name 362 an alternate. 364 Expert reviewers of individual registration submissions with 365 Registration Type == Sub-namespace should check that the registration 366 request has a suitable description (which doesn't need to be 367 sufficiently detailed for others to implement) and that the Symbol 368 Name/Prefix is sufficiently descriptive of the purpose of the sub- 369 namespace or reflective of the name of the submitter or associated 370 company. 372 Expert reviewers of individual registration submissions with 373 Registration Type == Instance should check that the Symbol Name falls 374 under a sub-namespace controlled by the submitter. Registration of 375 such entries which do not fall under such a sub-namespace may be 376 allowed provided that they correspond to long existing non-standard 377 extensions to the GSS-API and this can be easily checked or 378 demonstrated, otherwise IESG Protocol Action is REQUIRED (see 379 previous section). Also, reviewers should check that any 380 registration of constant values have a detailed description that is 381 suitable for other implementors to reproduce, and that they don't 382 conflict with other usages or are otherwise dangerous in the 383 reviewers estimation. 385 Expert reviewers should review impact on mechanisms, security and 386 interoperability, and may reject or annotate registrations which can 387 have mechanism impact that requires IESG protocol action. Consider, 388 for example, new versions of GSS_Init_sec_context() and/or 389 GSS_Accept_sec_context which have new input and/or output parameters 390 which imply changes on the wire or in behaviour that may result in 391 interoperability issues. A reviewer could choose to add notes to the 392 registration describing such issues, or the reviewer might conclude 393 that the danger to Internet interoperability is sufficient to warrant 394 rejecting the registration. 396 8.2.3. Change Control 398 Registered entries may be marked obsoleted using the same expert 399 review process as for registering new entries. Obsoleted entries are 400 not, however, to be deleted, but merely marked having Obsoleted 401 Status. Note that entries may be created as obsoleted to record the 402 fact that the given symbol(s) have been used before, even though 403 continued use of them is discouraged. 405 Registered entries may also be updated in two other ways: additional 406 references, obsoleting references, and descriptions may be added. 408 All changes are subject to expert review, except for changes to 409 registrations in a sub-namespace which are subject to the rules of 410 the relevant sub-namespace. The submitter of a change request need 411 not be the same as the original submitter. 413 Registrations may be modified by addition, but under no circumstance 414 may any fields be modified except for the Status field or Contact 415 Address, or to correct for transcription errors in filing or 416 processing registration requests. 418 The IANA SHALL add a field describing the date that a an addition or 419 modification was made, and a description of the change. 421 9. Security Considerations 423 General security considerations relating to IANA registration 424 services apply; see [RFC5226]. 426 Also, expert reviewers should look for and may document security 427 related issues with submitters' GSS-API extensions, to the best of 428 the reviewers' ability given the information furnished by the 429 submitter. Reviewers may add comments regarding their limited 430 ability to review a submission for security problems if the submitter 431 is unwilling to provide sufficient documentation. 433 10. References 434 10.1. Normative References 436 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 437 Requirement Levels", BCP 14, RFC 2119, March 1997. 439 [RFC2743] Linn, J., "Generic Security Service Application Program 440 Interface Version 2, Update 1", RFC 2743, January 2000. 442 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 443 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 444 May 2008. 446 10.2. Informative References 448 [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 449 1964, June 1996. 451 [RFC2744] Wray, J., "Generic Security Service API Version 2 : 452 C-bindings", RFC 2744, January 2000. 454 [RFC2853] Kabat, J. and M. Upadhyay, "Generic Security Service API 455 Version 2 : Java Bindings", RFC 2853, June 2000. 457 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 458 Version 5 Generic Security Service Application Program 459 Interface (GSS-API) Mechanism: Version 2", RFC 4121, July 460 2005. 462 Authors' Addresses 464 Nicolas Williams 465 Cryptonector LLC 467 Email: nico@cryptonector.com 469 Alexey Melnikov 470 Isode Ltd 471 5 Castle Business Village 472 36 Station Road 473 Hampton, Middlesex TW12 2BX 474 UK 476 Email: Alexey.Melnikov@isode.com