idnits 2.17.1 draft-ietf-kitten-gssapi-prf-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 13. -- Found old boilerplate from RFC 3978, Section 5.5 on line 198. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 175. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 182. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 188. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 204), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 35. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == It seems as if not all pages are separated by form feeds - found 0 form feeds but 8 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 5 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2004) is 7224 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC2119' on line 147 looks like a reference -- Missing reference section? 'RFC2743' on line 150 looks like a reference -- Missing reference section? 'RFC2744' on line 153 looks like a reference Summary: 8 errors (**), 0 flaws (~~), 3 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 NETWORK WORKING GROUP N. Williams 2 Internet-Draft Sun 3 Expires: December 30, 2004 July 2004 5 A PRF API extension for the GSS-API 6 draft-ietf-kitten-gssapi-prf-00.txt 8 Status of this Memo 10 By submitting this Internet-Draft, I certify that any applicable 11 patent or other IPR claims of which I am aware have been disclosed, 12 and any of which I become aware will be disclosed, in accordance with 13 RFC 3668. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as 18 Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 This Internet-Draft will expire on December 30, 2004. 33 Copyright Notice 35 Copyright (C) The Internet Society (2004). All Rights Reserved. 37 Abstract 39 This document defines a Pseudo-Random Function (PRF) extension to the 40 Generic Security Service Applicatoin Programming Interface (GSS-API) 41 for keying application protocols given an established GSS-API 42 security context. The primary intended use of this function is to 43 key secure session layers that don't or cannot use GSS-API 44 per-message MIC (message integrity check) and wrap tokens for session 45 protection. 47 Table of Contents 49 1. Conventions used in this document . . . . . . . . . . . . . . 3 50 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 3. GSS_Pseudo_random() . . . . . . . . . . . . . . . . . . . . . 5 52 3.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . 6 53 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 54 5. Normative . . . . . . . . . . . . . . . . . . . . . . . . . . 7 55 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 7 56 Intellectual Property and Copyright Statements . . . . . . . . 8 58 1. Conventions used in this document 60 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 61 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 62 document are to be interpreted as described in [RFC2119]. 64 2. Introduction 66 A need has arisen for users of the GSS-API to key applications' 67 cryptographic protocols using established GSS-API security contexts. 68 Such applications can use the GSS-API for authentication, but not for 69 transport security (for whatever reasons), and since the GSS-API does 70 not provide a method for obtaining keying material from established 71 security contexts such applications cannot make effective use of the 72 GSS-API. 74 To address this need we define a PRF extension to the GSS-API. 76 3. GSS_Pseudo_random() 78 Inputs: 80 o context CONTEXT handle, 81 o prf_in OCTET STRING, 82 o desired_output_len INTEGER 84 Outputs: 86 o major_status INTEGER, 87 o minor_status INTEGER, 88 o prf_out OCTET STRING 90 Return major_status codes: 91 o GSS_S_COMPLETE indicates no error. 92 o GSS_S_NO_CONTEXT indicates that a null context has been provided 93 as input. 94 o GSS_S_CONTEXT_EXPIRED indicates that an expired context has been 95 provided as input. 96 o GSS_S_UNAVAILABLE indicates that the mechanism lacks support for 97 this functions. 98 o GSS_S_FAILURE indicates failure or lack of support; the minor 99 status code may provide additional information. 101 This function applies the established context's mechanism's keyed PRF 102 function to the input data (prf_in), keyed with key material 103 associated with the given security context and outputs the resulting 104 octet string (prf_out) of desired_output_len length. 106 Mechanisms MAY limit the output of the PRF according, possibly in 107 ways related to the types of cryptographic keys available for the PRF 108 function, thus the prf_out output of GSS_Pseudo_random() MAY be 109 smaller than requested. 111 This function, applied to the same inputs by an initiator and 112 acceptor using the same established context, produces the *same 113 results* for both, the initiator and acceptor. 115 Applications SHOULD NOT make more than one GSS PRF call 116 per-established security context. 118 If an application makes multiple calls, per established security 119 context, to the GSS PRF, then it is up to the application to ensure 120 synchronization of order of function calls between initiator and 121 acceptor; such applications SHOULD provide different input octet 122 strings to each such GSS PRF call. The result of making multiple 123 calls to the GSS PRF in different order on the initiator and acceptor 124 sides is undefined. 126 3.1 C-Bindings 128 OM_uint32 gss_pseudo_random( 129 OM_uint32 *minor_status, 130 gss_ctx_id_t context, 131 const gss_buffer_t prf_in, 132 ssize_t desired_output_len, 133 gss_buffer_t prf_out 134 ); 136 4. Security Considerations 138 Care should be taken in properly designing a mechanism's PRF 139 function. 141 GSS mechanisms' PRF functions should use a key derived from contexts' 142 session keys and should preserve the forward security properties of 143 the mechanisms' key exchanges. 145 5 Normative 147 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 148 Requirement Levels", BCP 14, RFC 2119, March 1997. 150 [RFC2743] Linn, J., "Generic Security Service Application Program 151 Interface Version 2, Update 1", RFC 2743, January 2000. 153 [RFC2744] Wray, J., "Generic Security Service API Version 2 : 154 C-bindings", RFC 2744, January 2000. 156 Author's Address 158 Nicolas Williams 159 Sun Microsystems 160 5300 Riata Trace Ct 161 Austin, TX 78727 162 US 164 EMail: Nicolas.Williams@sun.com 166 Intellectual Property Statement 168 The IETF takes no position regarding the validity or scope of any 169 Intellectual Property Rights or other rights that might be claimed to 170 pertain to the implementation or use of the technology described in 171 this document or the extent to which any license under such rights 172 might or might not be available; nor does it represent that it has 173 made any independent effort to identify any such rights. Information 174 on the procedures with respect to rights in RFC documents can be 175 found in BCP 78 and BCP 79. 177 Copies of IPR disclosures made to the IETF Secretariat and any 178 assurances of licenses to be made available, or the result of an 179 attempt made to obtain a general license or permission for the use of 180 such proprietary rights by implementers or users of this 181 specification can be obtained from the IETF on-line IPR repository at 182 http://www.ietf.org/ipr. 184 The IETF invites any interested party to bring to its attention any 185 copyrights, patents or patent applications, or other proprietary 186 rights that may cover technology that may be required to implement 187 this standard. Please address the information to the IETF at 188 ietf-ipr@ietf.org. 190 Disclaimer of Validity 192 This document and the information contained herein are provided on an 193 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 194 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 195 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 196 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 197 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 198 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 200 Copyright Statement 202 Copyright (C) The Internet Society (2004). This document is subject 203 to the rights, licenses and restrictions contained in BCP 78, and 204 except as set forth therein, the authors retain all their rights. 206 Acknowledgment 208 Funding for the RFC Editor function is currently provided by the 209 Internet Society.