idnits 2.17.1 

draft-ietf-kitten-krb5-gssapi-domain-based-names-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 15.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 167.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 178.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 185.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 191.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (November 19, 2007) is 5996 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-06) exists of
     draft-ietf-kitten-gssapi-domain-based-names-03

  ** Obsolete normative reference: RFC 3490 (Obsoleted by RFC 5890, RFC 5891)


     Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	NETWORK WORKING GROUP                                        N. Williams
3	Internet-Draft                                                       Sun
4	Expires: May 22, 2008                                  November 19, 2007

6	   GSS-API Domain-Based Service Names Mapping for the Kerberos V GSS
7	                               Mechanism
8	        draft-ietf-kitten-krb5-gssapi-domain-based-names-04.txt

10	Status of this Memo

12	   By submitting this Internet-Draft, each author represents that any
13	   applicable patent or other IPR claims of which he or she is aware
14	   have been or will be disclosed, and any of which he or she becomes
15	   aware will be disclosed, in accordance with Section 6 of BCP 79.

17	   Internet-Drafts are working documents of the Internet Engineering
18	   Task Force (IETF), its areas, and its working groups.  Note that
19	   other groups may also distribute working documents as Internet-
20	   Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference
25	   material or to cite them other than as "work in progress."

27	   The list of current Internet-Drafts can be accessed at
28	   http://www.ietf.org/ietf/1id-abstracts.txt.

30	   The list of Internet-Draft Shadow Directories can be accessed at
31	   http://www.ietf.org/shadow.html.

33	   This Internet-Draft will expire on May 22, 2008.

35	Copyright Notice

37	   Copyright (C) The IETF Trust (2007).

39	Abstract

41	   This document describes the mapping of GSS-API domainname-based
42	   service principal names onto Kerberos V principal names.

44	Table of Contents

46	   1.  Conventions used in this document . . . . . . . . . . . . . . . 3
47	   2.  Domain-Based Names for the Kerberos V GSS-API Mechanism . . . . 3
48	   3.  Internationalization considerations . . . . . . . . . . . . . . 3
49	   4.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
50	   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
51	   6.  Normative References  . . . . . . . . . . . . . . . . . . . . . 4
52	       Author's Address  . . . . . . . . . . . . . . . . . . . . . . . 4
53	       Intellectual Property and Copyright Statements  . . . . . . . . 6

55	1.  Conventions used in this document

57	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
58	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
59	   document are to be interpreted as described in [RFC2119].

61	2.  Domain-Based Names for the Kerberos V GSS-API Mechanism

63	   In accordance with [I-D.ietf-kitten-gssapi-domain-based-names] this
64	   document provides the mechanism-specific details needed to implement
65	   GSS-API [RFC2743] domain-based service names with the Kerberos V GSS-
66	   API mechanism [RFC4121].

68	   GSS_C_NT_DOMAINBASED_SERVICE name SHOULD be mapped to Kerberos V
69	   principal names as follows:
70	   o  the <service> name becomes the first (0th) component of the
71	      Kerberos V principal name;
72	   o  the <hostname> becomes the second component of the Kerberos V
73	      principal name;
74	   o  the <domain> name becomes the third component of the Kerberos V
75	      principal name;
76	   o  the realm of the resulting principal name is that which
77	      corresponds to the domain name, treated as a hostname.

79	   The same name canonicalization considerations and methods as used
80	   elsewhere in the Kerberos V GSS-API mechanism [RFC4121] and Kerberos
81	   V [RFC4120] in general apply here.

83	   Implementations SHOULD use a Kerberos V name-type of NT-SRV-HST-
84	   DOMAIN (integral value to be assigned, possibly after WGLC?) but MAY
85	   use NT-UNKNOWN instead.

87	3.  Internationalization considerations

89	   It is unclear, at this time, how best to address internationalization
90	   of Kerberos V domain-based principal names.  This is because the
91	   Kerberos V core protocol internationalization project is incomplete.

93	   However, clearly the best way to interoperate when using Kerberos V
94	   domain-based principal names is to use ACE-encoded internationalized
95	   domain names [RFC3490] for the hostname and domain name slots of a
96	   Kerberos V domain-based principal name.  Therefore Kerberos V GSS-API
97	   mechanism implementations MUST do just that.

99	4.  Examples
100	   o  The domain based name, of generic form,
101	      "ldap@Example.TLD@ds1.Example.TLD" may map to a Kerberos V
102	      principal name like: "ldap/ds1.example.tld/
103	      example.tld@EXAMPLE.TLD"
104	   o  The domain based name, of generic form,
105	      "kadmin@Example.TLD@kdc1.Example.TLD" may map to a Kerberos V
106	      principal name like: "kadmin/kdc1.example.tld/
107	      example.tld@EXAMPLE.TLD"

109	5.  Security Considerations

111	   See [I-D.ietf-kitten-gssapi-domain-based-names].

113	   It is important for the security of protocols using the Kerberos V
114	   GSS-API mechanism and domain-based names, that the realm of domain-
115	   based principal names be derived from the hostname, rather than the
116	   domain name slots of the input domain-based name string.

118	6.  Normative References

120	   [I-D.ietf-kitten-gssapi-domain-based-names]
121	              Williams, N., "GSS-API Domain-Based Service Names and Name
122	              Type", draft-ietf-kitten-gssapi-domain-based-names-03
123	              (work in progress), September 2006.

125	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
126	              Requirement Levels", BCP 14, RFC 2119, March 1997.

128	   [RFC2743]  Linn, J., "Generic Security Service Application Program
129	              Interface Version 2, Update 1", RFC 2743, January 2000.

131	   [RFC3490]  Faltstrom, P., Hoffman, P., and A. Costello,
132	              "Internationalizing Domain Names in Applications (IDNA)",
133	              RFC 3490, March 2003.

135	   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
136	              Kerberos Network Authentication Service (V5)", RFC 4120,
137	              July 2005.

139	   [RFC4121]  Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
140	              Version 5 Generic Security Service Application Program
141	              Interface (GSS-API) Mechanism: Version 2", RFC 4121,
142	              July 2005.

144	Author's Address
145	   Nicolas Williams
146	   Sun Microsystems
147	   5300 Riata Trace Ct
148	   Austin, TX  78727
149	   US

151	   Email: Nicolas.Williams@sun.com

153	Full Copyright Statement

155	   Copyright (C) The IETF Trust (2007).

157	   This document is subject to the rights, licenses and restrictions
158	   contained in BCP 78, and except as set forth therein, the authors
159	   retain all their rights.

161	   This document and the information contained herein are provided on an
162	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
163	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
164	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
165	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
166	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
167	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

169	Intellectual Property

171	   The IETF takes no position regarding the validity or scope of any
172	   Intellectual Property Rights or other rights that might be claimed to
173	   pertain to the implementation or use of the technology described in
174	   this document or the extent to which any license under such rights
175	   might or might not be available; nor does it represent that it has
176	   made any independent effort to identify any such rights.  Information
177	   on the procedures with respect to rights in RFC documents can be
178	   found in BCP 78 and BCP 79.

180	   Copies of IPR disclosures made to the IETF Secretariat and any
181	   assurances of licenses to be made available, or the result of an
182	   attempt made to obtain a general license or permission for the use of
183	   such proprietary rights by implementers or users of this
184	   specification can be obtained from the IETF on-line IPR repository at
185	   http://www.ietf.org/ipr.

187	   The IETF invites any interested party to bring to its attention any
188	   copyrights, patents or patent applications, or other proprietary
189	   rights that may cover technology that may be required to implement
190	   this standard.  Please address the information to the IETF at
191	   ietf-ipr@ietf.org.

193	Acknowledgment

195	   Funding for the RFC Editor function is provided by the IETF
196	   Administrative Support Activity (IASA).