idnits 2.17.1 draft-ietf-kitten-gssapi-extensions-iana-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 13, 2015) is 3383 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 2853 (Obsoleted by RFC 5653) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP N. Williams 3 Internet-Draft Cryptonector LLC 4 Intended status: Standards Track A. Melnikov 5 Expires: July 17, 2015 Isode Ltd 6 January 13, 2015 8 Namespace Considerations and Registries for GSS-API Extensions 9 draft-ietf-kitten-gssapi-extensions-iana-09.txt 11 Abstract 13 This document describes the ways in which the GSS-API may be extended 14 and directs the creation of an IANA registry for various GSS-API 15 namespaces. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on July 17, 2015. 34 Copyright Notice 36 Copyright (c) 2015 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Conventions used in this document . . . . . . . . . . . . . . 2 52 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 3. Extensions to the GSS-API . . . . . . . . . . . . . . . . . . 2 54 4. Generic GSS-API Namespaces . . . . . . . . . . . . . . . . . 3 55 5. Language Binding-Specific GSS-API Namespaces . . . . . . . . 3 56 6. Extension-Specific GSS-API Namespaces . . . . . . . . . . . . 4 57 7. Registration Form . . . . . . . . . . . . . . . . . . . . . . 4 58 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 59 8.1. Initial Namespace Registrations . . . . . . . . . . . . . . 7 60 8.1.1. Example registrations . . . . . . . . . . . . . . . . . . 7 61 8.2. Registration Maintenance Guidelines . . . . . . . . . . . . 9 62 8.2.1. Sub-Namespace Symbol Pattern Matching . . . . . . . . . . 9 63 8.2.2. Expert Reviews of Individual Submissions . . . . . 10 64 8.2.3. Change Control . . . . . . . . . . . . . . . . . . . . . 11 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11 66 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 67 10.1. Normative References . . . . . . . . . . . . . . . . . . . 11 68 10.2. Informative References . . . . . . . . . . . . . . . . . . 12 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 71 1. Conventions used in this document 73 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 74 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 75 document are to be interpreted as described in [RFC2119]. 77 2. Introduction 79 There is a need for private-use and mechanism-specific extensions to 80 the Generic Security Services Application Programming Interface (GSS- 81 API). As such extensions are designed and standardized (or not), 82 both at the IETF and elsewhere, there is a non-trivial risk of 83 namespace pollution and conflicts. To avoid this we set out 84 guidelines for extending the GSS-API and direct the creation of an 85 IANA registry for GSS-API namespaces. 87 Registrations of individual items and sub-namespaces are allowed. 88 Each sub-namespace may provide different rules for registration, 89 e.g., for mechanism-specific and private-use extensions. 91 3. Extensions to the GSS-API 93 Extensions to the GSS-API can be categorized as follows: 95 o Abstract API extensions 96 o Implementation-specific 98 o Mechanism-specific 100 o Language binding-specific 102 Extensions to the GSS-API may be purely semantic, without effect on 103 the GSS-API's namespaces. Or they may introduce new functions, 104 constants, types, etc...; these clearly affect the GSS-API 105 namespaces. 107 Extensions that affect the GSS-API namespaces should be registered 108 with the IANA as described herein. 110 4. Generic GSS-API Namespaces 112 The abstract API namespaces for the GSS-API are: 114 o Type names 116 o Function names 118 o Constant names for various types 120 o Constant values for various types 122 o Name types (OID, type name and syntaxes) 124 Additionally we have namespaces associates with the OBJECT IDENTIFIER 125 (OID) type. The IANA already maintains a registry of such OIDs: 127 o Mechanism OIDs 129 o Name Type OIDs 131 5. Language Binding-Specific GSS-API Namespaces 133 Language binding specific namespaces include, among others: 135 o Header/interface module names 137 o Object classes and/or types 139 o Methods and/or functions 141 o Constant names 143 o Constant values 145 6. Extension-Specific GSS-API Namespaces 147 Extensions to the GSS-API may create additional namespaces. See 148 Section 8.2. 150 7. Registration Form 152 Registrations for GSS-API namespaces SHALL take the following form: 154 +--------------+---------------------+------------------------------+ 155 | Registration | Possible Values | Description | 156 | Field | | | 157 +--------------+---------------------+------------------------------+ 158 | Bindings | 'Generic', | Indicates the name of the | 159 | | 'C-bindings', | programming language that | 160 | | 'Java', 'C#', | this registration involves, | 161 | | | is an entry for the generic | 163 | | | abstract GSS-API (i.e., not | 164 | | | specific to any programming | 165 | | | language). | 166 +--------------+---------------------+------------------------------+ 167 | Registration | 'Instance', 'Sub- | Indicates whether this entry | 168 | type | Namespace' | reserves a given symbol name | 169 | | | (and possibly, constant | 170 | | | value), or whether it | 171 | | | reserves an entire sub- | 172 | | | namespace (the name is a | 173 | | | pattern) or constant value | 174 | | | range. | 175 +--------------+---------------------+------------------------------+ 176 | Object Type | defined by | Indicates the type of the | 177 | | the binding | object whose symbolic name | 178 | | language (for | or constant value this entry | 179 | | example 'Data- | registers. The possible | 180 | | Type', 'Function', | values of this field depend | 181 | | 'Method', | on the programming language | 182 | | 'Integer', | in question, therefore they | 183 | | 'String', 'OID', | are not all specified here. | 184 | | 'Context-Flag', | | 185 | | 'Name-Type', | | 186 | | 'Macro', 'Header- | | 187 | | File-Name', | | 188 | | 'Module-Name', | | 189 | | 'Class') | | 190 +--------------+---------------------+------------------------------+ 191 | Symbol | | symbol sub-namespace being | 193 | | | registered. See Section | 194 | | | 8.2.1 | 195 +--------------+---------------------+------------------------------+ 196 | Binding of | | the abstract API element of | 200 | | | which it is a binding | 201 | | | (OPTIONAL). | 202 +--------------+---------------------+------------------------------+ 203 | Constant | or | The value of the constant | 204 | Value/Range | | Name/Prefix>. This field is | 206 | | | present only for Instance | 207 | | | and Sub-namespace | 208 | | | registrations of Constant | 209 | | | object types. | 210 +--------------+---------------------+------------------------------+ 211 | Description | | Description of the | 212 | | | registration. Multiple | 213 | | | instances of this field may | 214 | | | result (see Section 8.2.3). | 215 +--------------+---------------------+------------------------------+ 216 | Registration | to an | Describes the rules for | 217 | Rules | IANA registration | allocation of items that | 218 | | Policy defined in | fall in this sub-namespace, | 219 | | [RFC5226] (or an | for entries with | 220 | | RFC that updates | Registration Type of Sub- | 221 | | it), for instance | namespace (OPTIONAL). For | 222 | | 'IESG Approval', | private use sub-namespaces | 223 | | 'Expert Review', | the submitter MUST provide | 224 | | 'First Come First | the e-mail address of a | 225 | | Served', 'Private | responsible contact. If | 226 | | Use'. | this field is not specified | 227 | | | for a sub-namespace, the | 228 | | | default registration rules | 229 | | | specified in Section 8.2 | 230 | | | apply. | 231 +--------------+---------------------+------------------------------+ 232 | Reference | | Reference to a document that | 233 | | | describes the registration, | 234 | | | if any (OPTIONAL). Multiple | 235 | | | instances of this field are | 236 | | | allowed, with one reference | 237 | | | each. | 238 +--------------+---------------------+------------------------------+ 239 | Expert | | field are allowed, with one | 242 | | | expert reviewer per- | 243 | | | instance. Leave this field | 244 | | | blank when requesting a | 245 | | | registration. It will be | 246 | | | filled in by the Expert who | 247 | | | reviews the registration. | 248 +--------------+---------------------+------------------------------+ 249 | Expert | | that some comments be | 251 | | | included with the | 252 | | | registration, e.g., | 253 | | | regarding security | 254 | | | considerations of the | 255 | | | registered extension. | 256 +--------------+---------------------+------------------------------+ 257 | Status | 'Registered' or | Status of the registration. | 258 | | 'Obsoleted' | | 259 +--------------+---------------------+------------------------------+ 260 | Obsoleting | | Reference to a document, if | 261 | Reference | | any, that obsoletes this | 262 | | | registration. Multiple | 263 | | | instances of this field are | 264 | | | allowed, with one reference | 265 | | | each. (OPTIONAL) | 266 +--------------+---------------------+------------------------------+ 268 The IANA should create a single GSS-API namespace registry, or 269 multiple registries, one for symbolic names and one for constant 270 values, and/or it may create a registry per-programming language, at 271 its convenience. 273 Entries in these registries should consist of all the fields from 274 their corresponding registration entries. 276 Entries should be sorted by: programming language, registration type, 277 object type, and symbol name/pattern. 279 8. IANA Considerations 281 This document deals with IANA considerations throughout. 282 Specifically it creates a single registry of various kinds of things, 283 though the IANA may instead create multiple registries, each for one 284 of those kinds of things. Of particular interest may be that IANA 285 will now be the registration authority for the GSS-API name type OID 286 space. 288 8.1. Initial Namespace Registrations 290 Initial registry content corresponding to the items defined in 291 [RFC2743], [RFC2744], [RFC2853], [RFC1964] and [RFC4121] and others 292 will be supplied during the IANA review portion of the RFC publishing 293 process. [[Note to RFC Editor: Delete the following sentence before 294 publication:]] The KITTEN WG chairs MUST indicate that such content 295 has been reviewed by the WG and that there is WG consensus that the 296 entries are in agreement with those RFCs. 298 8.1.1. Example registrations 300 In order to sanity check recommended IANA registration templates, 301 this section registers several entries. 303 +--------------------+----------------------------------------------+ 304 | Registration Field | Possible Values | 305 +--------------------+----------------------------------------------+ 306 | Bindings | C-bindings | 307 +--------------------+----------------------------------------------+ 308 | Registration type | Instance | 309 +--------------------+----------------------------------------------+ 310 | Object Type | Function | 311 +--------------------+----------------------------------------------+ 312 | Symbol Name | gss_init_sec_context | 313 +--------------------+----------------------------------------------+ 314 | Binding of | GSS_Init_sec_context | 315 +--------------------+----------------------------------------------+ 316 | Constant | N/A | 317 | Value/Range | | 318 +--------------------+----------------------------------------------+ 319 | Description | Create a security context by initiator | 320 +--------------------+----------------------------------------------+ 321 | Registration Rules | N/A | 322 +--------------------+----------------------------------------------+ 323 | Reference | RFC 2744 | 324 +--------------------+----------------------------------------------+ 325 | Expert Reviewer | Kitten WG | 326 +--------------------+----------------------------------------------+ 327 | Expert Review | | 328 | Notes | | 329 +--------------------+----------------------------------------------+ 330 | Status | Registered | 331 +--------------------+----------------------------------------------+ 332 | Obsoleting | N/A | 333 | Reference | | 334 +--------------------+----------------------------------------------+ 335 | Bindings | C-bindings | 336 +--------------------+----------------------------------------------+ 337 | Registration type | Instance | 338 +--------------------+----------------------------------------------+ 339 | Object Type | Function | 340 +--------------------+----------------------------------------------+ 341 | Symbol Name | gss_accept_sec_context | 342 +--------------------+----------------------------------------------+ 343 | Binding of | GSS_Accept_sec_context | 344 +--------------------+----------------------------------------------+ 345 | Constant | N/A | 346 | Value/Range | | 347 +--------------------+----------------------------------------------+ 348 | Description | Accept a security context from initiator | 349 +--------------------+----------------------------------------------+ 350 | Registration Rules | N/A | 351 +--------------------+----------------------------------------------+ 352 | Reference | RFC 2744 | 353 +--------------------+----------------------------------------------+ 354 | Expert Reviewer | Kitten WG | 355 +--------------------+----------------------------------------------+ 356 | Expert Review | | 357 | Notes | | 358 +--------------------+----------------------------------------------+ 359 | Status | Registered | 360 +--------------------+----------------------------------------------+ 361 | Obsoleting | N/A | 362 | Reference | | 363 +--------------------+----------------------------------------------+ 364 | Bindings | C-bindings | 365 +--------------------+----------------------------------------------+ 366 | Registration type | Instance | 367 +--------------------+----------------------------------------------+ 368 | Object Type | Context-Flag | 369 +--------------------+----------------------------------------------+ 370 | Symbol Name | GSS_C_DELEG_FLAG | 371 +--------------------+----------------------------------------------+ 372 | Binding of | deleg_state or deleg_req_flag | 373 +--------------------+----------------------------------------------+ 374 | Constant | 1 | 375 | Value/Range | | 376 +--------------------+----------------------------------------------+ 377 | Description | On output (if set): Delegated credentials | 378 | | are available via the delegated_cred_handle | 379 | | parameter of GSS_Accept_sec_context. On | 380 | | input (if set): With the call to | 381 | | GSS_Init_sec_context, delegate credentials | 382 | | to the acceptor. | 383 +--------------------+----------------------------------------------+ 384 | Registration Rules | N/A | 385 +--------------------+----------------------------------------------+ 386 | Reference | RFC 2744 | 387 +--------------------+----------------------------------------------+ 388 | Expert Reviewer | Kitten WG | 389 +--------------------+----------------------------------------------+ 390 | Expert Review | | 391 | Notes | | 392 +--------------------+----------------------------------------------+ 393 | Status | Registered | 394 +--------------------+----------------------------------------------+ 395 | Obsoleting | N/A | 396 | Reference | | 397 +--------------------+----------------------------------------------+ 399 8.2. Registration Maintenance Guidelines 401 Standards-Track RFCs can create new items with any non-conflicting 402 Symbol Name/Prefix value for this registry by virtue of IESG approval 403 to publish as a Standards-Track RFC -- that is, without additional 404 expert review. 406 Standards-Track RFCs can mark existing entries as obsolete, and can 407 even create conflicting entries if explicitly stated (the IESG, of 408 course, should review conflicts carefully, and may reject them). 410 IANA shall also consider submissions from individuals, and via 411 Informational and Experimental RFCs, subject to Expert Review. IANA 412 SHALL allow such registrations if a) they are not conflicting, b) 413 provided that the registration is for object types other than 414 Context-Flags, and c) subject to expert review. Guidelines for 415 expert reviews are given below. 417 8.2.1. Sub-Namespace Symbol Pattern Matching 419 Sub-namespace registrations must provide a pattern for matching 420 symbols for which the sub-namespace's registration rules apply. The 421 pattern consists of a string with the following special tokens: 423 o '*', meaning "match any string." 425 o "%m", meaning "match any mechanism family short-hand name." 427 o "%i", meaning "match any implementor vanity short-hand name." 429 For example, "GSS_%m_*" matches "GSS_krb5_foo" since "krb5" is a 430 common short-hand for the Kerberos V GSS-API mechanism [RFC1964]. 431 But "GSS_%m_*" does not match "GSS_foo_bar" unless "foo" is asserted 432 to be a short-hand for some mechanism. 434 8.2.2. Expert Reviews of Individual Submissions 436 [[The following paragraph should be deleted from the document before 437 publication, as it will not age well. It should be moved to the 438 shepherding write-up.]] 440 Expert review selection SHALL be done as follows. If, at the time 441 that the IANA receives an individual submission for registration in 442 this registry, there are any IETF Working Groups chartered to produce 443 GSS-API-related documents, then the IANA SHALL ask the chairs of such 444 WGs to be expert reviewers or to name one. If there are no such WGs 445 at that time, then the IANA SHALL ask past chairs of the KITTEN WG 446 and the author/editor of this RFC to act as expert reviewers or name 447 an alternate. 449 Expert reviewers of individual registration submissions with 450 Registration Type == Sub-namespace should check that the registration 451 request has a suitable description (which doesn't need to be 452 sufficiently detailed for others to implement) and that the Symbol 453 Name/Prefix is sufficiently descriptive of the purpose of the sub- 454 namespace or reflective of the name of the submitter or associated 455 company. 457 Expert reviewers of individual registration submissions with 458 Registration Type == Instance should check that the Symbol Name falls 459 under a sub-namespace controlled by the submitter. Registration of 460 such entries which do not fall under such a sub-namespace may be 461 allowed provided that they correspond to long existing non-standard 462 extensions to the GSS-API and this can be easily checked or 463 demonstrated, otherwise IESG Protocol Action is REQUIRED (see 464 previous section). Also, reviewers should check that any 465 registration of constant values have a detailed description that is 466 suitable for other implementors to reproduce, and that they don't 467 conflict with other usages or are otherwise dangerous in the 468 reviewers estimation. 470 Expert reviewers should review impact on mechanisms, security and 471 interoperability, and may reject or annotate registrations which can 472 have mechanism impact that requires IESG protocol action. Consider, 473 for example, new versions of GSS_Init_sec_context() and/or 474 GSS_Accept_sec_context which have new input and/or output parameters 475 which imply changes on the wire or in behaviour that may result in 476 interoperability issues. A reviewer could choose to add notes to the 477 registration describing such issues, or the reviewer might conclude 478 that the danger to Internet interoperability is sufficient to warrant 479 rejecting the registration. 481 8.2.3. Change Control 483 Registered entries may be marked obsoleted using the same expert 484 review process as for registering new entries. Obsoleted entries are 485 not, however, to be deleted, but merely marked having Obsoleted 486 Status. Note that entries may be created as obsoleted to record the 487 fact that the given symbol(s) have been used before, even though 488 continued use of them is discouraged. 490 Registered entries may also be updated in two other ways: additional 491 references, obsoleting references, and descriptions may be added. 493 All changes are subject to expert review, except for changes to 494 registrations in a sub-namespace which are subject to the rules of 495 the relevant sub-namespace. The submitter of a change request need 496 not be the same as the original submitter. 498 Registrations may be modified by addition, but under no circumstance 499 may any fields be modified except for the Status field or Contact 500 Address, or to correct for transcription errors in filing or 501 processing registration requests. 503 The IANA SHALL add a field describing the date that a an addition or 504 modification was made, and a description of the change. 506 9. Security Considerations 508 General security considerations relating to IANA registration 509 services apply; see [RFC5226]. 511 Also, expert reviewers should look for and may document security 512 related issues with submitters' GSS-API extensions, to the best of 513 the reviewers' ability given the information furnished by the 514 submitter. Reviewers may add comments regarding their limited 515 ability to review a submission for security problems if the submitter 516 is unwilling to provide sufficient documentation. 518 10. References 520 10.1. Normative References 522 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 523 Requirement Levels", BCP 14, RFC 2119, March 1997. 525 [RFC2743] Linn, J., "Generic Security Service Application Program 526 Interface Version 2, Update 1", RFC 2743, January 2000. 528 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 529 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 530 May 2008. 532 10.2. Informative References 534 [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 535 1964, June 1996. 537 [RFC2744] Wray, J., "Generic Security Service API Version 2 : 538 C-bindings", RFC 2744, January 2000. 540 [RFC2853] Kabat, J. and M. Upadhyay, "Generic Security Service API 541 Version 2 : Java Bindings", RFC 2853, June 2000. 543 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 544 Version 5 Generic Security Service Application Program 545 Interface (GSS-API) Mechanism: Version 2", RFC 4121, July 546 2005. 548 Authors' Addresses 550 Nicolas Williams 551 Cryptonector LLC 553 Email: nico@cryptonector.com 555 Alexey Melnikov 556 Isode Ltd 557 5 Castle Business Village 558 36 Station Road 559 Hampton, Middlesex TW12 2BX 560 UK 562 Email: Alexey.Melnikov@isode.com