idnits 2.17.1 draft-ietf-kitten-kerberos-iana-registries-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 14, 2014) is 3717 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2253' is mentioned on line 201, but not defined ** Obsolete undefined reference: RFC 2253 (Obsoleted by RFC 4510, RFC 4514) == Unused Reference: 'RFC3961' is defined on line 334, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 1510 (Obsoleted by RFC 4120, RFC 6649) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Yu 3 Internet-Draft MIT Kerberos Consortium 4 Updates: rfc4120 (if approved) February 14, 2014 5 Intended status: Standards Track 6 Expires: August 18, 2014 8 Move Kerberos protocol parameter registries to IANA 9 draft-ietf-kitten-kerberos-iana-registries-03 11 Abstract 13 The Keberos 5 network authentication protocol has several numeric 14 protocol parameters. Most of these parameters are not currently 15 under IANA maintenance. This document requests that IANA take over 16 the maintenance of the remainder of these Kerberos parameters. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on August 18, 2014. 35 Copyright Notice 37 Copyright (c) 2014 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 1. Requirements Notation 52 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 53 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 54 document are to be interpreted as described in [RFC2119]. 56 2. Introduction 58 The Keberos 5 network authentication protocol[RFC4120][RFC1510] has 59 several numeric protocol parameters. This document requests that 60 IANA take over the maintenance of the Kerberos protocol parameters 61 that are not currently under IANA maintenance. Several instances of 62 number conflicts in Kerberos implementations could have been 63 prevented by having IANA registries for those numbers. This document 64 updates [RFC4120]. 66 3. General registry format 68 Unless otherwise specified, each Kerberos protocol number registry 69 will have the following fields: "number", "name", "reference", and 70 "comments". 72 The name must begin with a lowercase letter, and must consist of 73 ASCII letters, digits, and hyphens. Two or more hyphens must not 74 appear directly adjacent to each other. A hyphen must not appear at 75 the end of a name. It is preferred that words in a name be separated 76 by hyphens, and that all of the letters be lowercase. 78 (These rules are consistent with the lexical rules for an ASN.1 79 valuereference or identifier. Where the constraints are stricter 80 than the ASN.1 lexical rules, they make it easier to systematically 81 transform the names for use in implementation languages.) 83 Names for numeric parameter values have no inherent meaning in the 84 Kerberos protocol, but they can guide choices for internal 85 implementation symbol names and for user-visible non-numeric 86 representations. When written in English prose in specifications, or 87 when used as symbolic constants in implementation languages (e.g., C 88 preprocessor macros), it is common to transform the name into all 89 uppercase letters, and possibly to replace hyphens with underscores. 91 4. General registration procedure 93 This document requests that the IESG establish a pool of Kerberos 94 experts who will manage the Kerberos registries using these 95 guidelines. The IESG may wish to consider including the set of 96 designated IANA experts for existing Kerberos IANA registries as 97 candidates for this pool. 99 IANA will select an expert from this pool for each registration 100 request. The expert will review the registration request and may 101 approve the registration, decline the registration with comments, or 102 recommend that the registration request should follow a specific 103 alternative process. The alternative processes that the expert may 104 recommend are the IETF review process and the standards action 105 process. 107 Initially, the expert reviewers will use a permissive process, 108 generally approving registrations that are architecturally consistent 109 with Kerberos and the protocol parameter in question. Over time, 110 with input from the community, the experts may refine the 111 requirements that registrations are expected to meet. The experts 112 will maintain a current version of these guidelines in a manner that 113 is generally accessible to the entire community. As the guidelines 114 evolve, experts may consider the technical quality of specifications, 115 security impacts of the registrations, architectural consistency, and 116 interoperability impact. Experts may require a publicly available 117 specification in order to make certain registrations. 119 [ For the individual registries, include "Registrations in this 120 registry are managed by the expert review process [RFC5226] or in 121 exceptional cases by IESG approval. See section x for guidelines for 122 the experts to be used with this registry." ] 124 5. Integer assignments 126 Names for integer assignments must be unique across all Kerberos 127 integer parameter registries. This is normally accomplished by 128 including a name prefix that identifies the registry. 130 Assignments for integers parameters will follow the general 131 registration procedure outlined above, except as otherwise noted in 132 the section that contains the description of the parameter. Kerberos 133 integer parameters take on signed 32-bit values (-2147483648 to 134 2147483647). Negative values are for private or local use. 136 5.1. Address types 137 Registry name: Address types 138 Assignment policy: General registration procedure 139 Valid values: Signed 32-bit integers 141 Address types historically align with numeric constants used in the 142 Berkeley sockets API. Future address type assignments should conform 143 to this historical practice when possible. The name prefix for 144 address types is "addrtype-". 146 5.2. Authorization data types 148 Registry name: Authorization data types 149 Assignment policy: General registration procedure 150 Valid values: Signed 32-bit integers 152 The name prefix for authorization data types is "ad-". 154 5.3. Error codes 156 Registry name: Error codes 157 Assignment policy: Standards action 158 Valid values: Signed 32-bit integers 160 Assignments for error codes require standards action due to their 161 scarcity: assigning error codes greater than 127 could require 162 significant changes to certain implementations. The name prefixes 163 for error codes are "kdc-err-", "krb-err-", and "krb-ap-err-". 165 5.4. Key usages 167 Registry name: Key usages 168 Assignment policy: General registration procedure 169 Valid values: Unsigned 32-bit integers 171 Key usages are unsigned 32-bit integers (0 to 4294967295). Zero is 172 reserved and may not be assigned. 174 The name prefix for key usages is "ku-". 176 5.5. Name types 178 Registry name: Name types 179 Assignment policy: General registration procedure 180 Valid values: Signed 32-bit integers 182 The name prefix for name types is "nt-". 184 +--------+-------------------+-----------+--------------------------+ 185 | number | name | reference | comment | 186 +--------+-------------------+-----------+--------------------------+ 187 | 0 | nt-unknown | RFC4120 | Name type not known | 188 | 1 | nt-principal | RFC4120 | Just the name of the | 189 | | | | principal as in DCE, or | 190 | | | | for users | 191 | 2 | nt-srv-inst | RFC4120 | Service and other unique | 192 | | | | instance (krbtgt) | 193 | 3 | nt-srv-hst | RFC4120 | Service with host name | 194 | | | | as instance (telnet, | 195 | | | | rcommands) | 196 | 4 | nt-srv-xhst | RFC4120 | Service with host as | 197 | | | | remaining components | 198 | 5 | nt-uid | RFC4120 | Unique ID | 199 | 6 | nt-x500-principal | RFC4120 | Encoded X.509 | 200 | | | | Distinguished name | 201 | | | | [RFC2253] | 202 | 7 | nt-smtp-name | RFC4120 | Name in form of SMTP | 203 | | | | email name (e.g., | 204 | | | | user@example.com) | 205 | 10 | nt-enterprise | RFC4120 | Enterprise name - may be | 206 | | | | mapped to principal name | 207 | 11 | nt-wellknown | RFC6111 | Well-known principal | 208 | | | | name | 209 | 12 | nt-srv-hst-domain | RFC5179 | Domain-based names | 210 +--------+-------------------+-----------+--------------------------+ 212 5.6. Pre-authentication and typed data 214 Registry name: Pre-authentication and typed data 215 Assignment policy: General registration procedure 216 Valid values: Signed 32-bit integers 218 This document requests that IANA modify the existing Kerberos Pre- 219 authentication and typed data registry to be consistent with the 220 procedures in this document. 222 The name prefix for pre-authentication type numbers is "pa-". The 223 name prefix for typed data numbers is "td-". Pre-authentication and 224 typed data numbers are in the same registry, but a pre-authentication 225 number may be also be assigned to a related typed data number. 227 6. Named bit assignments 229 Assignments for named bits require standards action, due to their 230 scarcity: assigning bit numbers greater than 31 could require 231 significant changes to implementations. Names for named bit 232 assignments must be unique within a given named bit registry, and 233 typically do not have name prefixes that identify which registry they 234 belong to. 236 6.1. AP-REQ options 238 Registry name: AP-REQ options 239 Assignment policy: Standards action 240 Valid values: ASN.1 bit numbers 0 through 31 242 6.2. KDC-REQ options 244 Registry name: KDC-REQ options 245 Assignment policy: Standards action 246 Valid values: ASN.1 bit numbers 0 through 31 248 6.3. Ticket flags 250 Registry name: Ticket flags 251 Assignment policy: Standards action 252 Valid values: ASN.1 bit numbers 0 through 31 254 7. Numbers that will not be registered 256 ASN.1 application tag numbers (which are always equal to the "msg- 257 type" field in Kerberos messages where they appear) will not be 258 registered. Any Kerberos protocol change that requires a new 259 application tag number will be a sufficiently major change that the 260 specification of the change MUST define a new ASN.1 module and MUST 261 be Standards Track. 263 Transited encoding values will not be registered. There is only one 264 transited encoding type for the Kerberos protocol. The 265 interoperability concerns inherent to the cross-realm operation of 266 Kerberos mean that specifications of new transited encoding types are 267 very unlikely. Any specification of new transited encoding types 268 MUST be Standards Action. 270 Protocol version number (pvno) values will not be registered. The 271 location of the "pvno" value in Kerberos messages is not in a place 272 that implementations can meaningfully use to distinguish among 273 different variants of the Kerberos protocol. 275 8. Contributors 277 Sam Hartman proposed the text of the expert review guidelines. Love 278 Hornquist Astrand wrote a previous document 279 (draft-lha-krb-wg-some-numbers-to-iana-00) with the same goals as 280 this document. 282 9. Acknowledgments 284 Thanks to Tom Petch for providing useful feedback on previous 285 versions of this document. 287 10. Security Considerations 289 Assignments of new Keberos protocol parameter values can have 290 security implications. In cases where the assignment policy calls 291 for expert review, the reviewer is responsible for evaluating whether 292 adequate documentation exists concerning the security considerations 293 for the requested assignment. For assignments that require IETF 294 review or standards action, the normal IETF processes ensure adequate 295 treatment of security considerations. 297 11. IANA Considerations 299 This document requests that IANA create several registries for 300 Kebreros protocol parameters: 301 o Address types 302 o Authorization data types 303 o Error codes 304 o Key usages 305 o Name types 306 o AP-REQ options 307 o KDC-REQ options 308 o Ticket flags 310 This document requests that IANA modify the existing "Pre- 311 authentication data and typed data" registry to contain an additional 312 reference to this document, and to transform existing names in that 313 registry to the lowercase-and-hyphens style. 315 12. Open issues 317 Do we make a registry for application tag numbers (equal to message 318 type numbers)? We've said that we would replace the entire ASN.1 319 module in that case, but Nico's recent proposal doesn't do that, and 320 if we want to accommodate that sort of proposal, it would probably be 321 best to establish a registry. (It should require standards action 322 for registrations.) 324 Do transited encodings need a registry? They would probably require 325 standards action, even if there were a registry. 327 13. References 329 13.1. Normative References 331 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 332 Requirement Levels", BCP 14, RFC 2119, March 1997. 334 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 335 Kerberos 5", RFC 3961, February 2005. 337 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 338 Kerberos Network Authentication Service (V5)", RFC 4120, 339 July 2005. 341 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 342 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 343 May 2008. 345 13.2. Informative References 347 [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network 348 Authentication Service (V5)", RFC 1510, September 1993. 350 Author's Address 352 Tom Yu 353 MIT Kerberos Consortium 354 77 Massachusetts Ave 355 Cambridge, Massachusetts 356 USA 358 Email: tlyu@mit.edu