draft-ietf-kitten-gssapi-channel-bindings-03.txt   draft-ietf-kitten-gssapi-channel-bindings-04.txt 
KITTEN WG N. Williams KITTEN WG N. Williams
Internet-Draft Sun Internet-Draft Sun
Expires: August 28, 2008 February 25, 2008 Intended status: Standards Track March 13, 2008
Expires: September 14, 2008
Clarifications and Extensions to the GSS-API for the Use of Channel Clarifications and Extensions to the GSS-API for the Use of Channel
Bindings Bindings
draft-ietf-kitten-gssapi-channel-bindings-03.txt draft-ietf-kitten-gssapi-channel-bindings-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 28, 2008. This Internet-Draft will expire on September 14, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document clarifies and generalizes the Generic Security Services This document clarifies and generalizes the Generic Security Services
Application Programming Interface (GSS-API) "channel bindings" Application Programming Interface (GSS-API) "channel bindings"
facility, and imposes requirements on future GSS-API mechanisms and facility, and imposes requirements on future GSS-API mechanisms and
programming language bindings of the GSS-API. programming language bindings of the GSS-API.
Table of Contents Table of Contents
1. Conventions used in this document . . . . . . . . . . . . . . . 3 1. Conventions used in this document . . . . . . . . . . . . . . 3
2. New Requirements for GSS-API Mechanisms . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Generic Structure for GSS-API Channel Bindings . . . . . . . . 5 3. New Requirements for GSS-API Mechanisms . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 4. Generic Structure for GSS-API Channel Bindings . . . . . . . . 6
5. Normative References . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . . 9 7. Normative References . . . . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10
Intellectual Property and Copyright Statements . . . . . . . . . . 11
1. Conventions used in this document 1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. New Requirements for GSS-API Mechanisms 2. Introduction
The base GSS-API v2, update 1 specification [RFC2743] provides a
facility for channel binding (see also [RFC5056]), but its treatment
was incomplete. The C-bindings of the GSS-API [RFC2744] expanded a
little on this facility in what should have been a generic way, but
was a C-specific way, and still, the treatment of this facility was
incomplete.
This document clarifies the GSS-API's channel binding facility and
generalizes the parts of it that are specified in the C-bindings
document but which should have been generic from the first.
3. New Requirements for GSS-API Mechanisms
Given the publication of RFC5056 we now assert that all new GSS-API Given the publication of RFC5056 we now assert that all new GSS-API
mechanisms that support channel binding MUST conform to [RFC5056]. mechanisms that support channel binding MUST conform to [RFC5056].
3. Generic Structure for GSS-API Channel Bindings 4. Generic Structure for GSS-API Channel Bindings
The base GSS-API v2, update 1 specification [RFC2743] provides a The base GSS-API v2, update 1 specification [RFC2743] provides a
facility for channel binding. It models channel bindings as an OCTET facility for channel binding. It models channel bindings as an OCTET
STRING and leaves it to the GSS-API v2, update 1 C-Bindings STRING and leaves it to the GSS-API v2, update 1 C-Bindings
specification to specify the structure of the contents of the channel specification to specify the structure of the contents of the channel
bindings OCTET STRINGs. The C-Bindings specification [RFC2744]then bindings OCTET STRINGs. The C-Bindings specification [RFC2744]then
defines, in terms of C, what should have been a generic structure for defines, in terms of C, what should have been a generic structure for
channel bindings. The Kerberos V GSS mechanism [RFC1964]then defines channel bindings. The Kerberos V GSS mechanism [RFC1964]then defines
a method for encoding GSS channel bindings in a way that is a method for encoding GSS channel bindings in a way that is
independent of the C-Bindings -- otherwise the mechanism's channel independent of the C-Bindings -- otherwise the mechanism's channel
skipping to change at page 6, line 5 skipping to change at page 7, line 5
Where a language binding of the GSS-API models channel bindings as Where a language binding of the GSS-API models channel bindings as
OCTET STRINGs (or the language's equivalent), then the implementation OCTET STRINGs (or the language's equivalent), then the implementation
MUST assume that the given bindings correspond only to the MUST assume that the given bindings correspond only to the
application-data field of GSS-CHANNEL-BINDINGS as shown above, rather application-data field of GSS-CHANNEL-BINDINGS as shown above, rather
than some encoding of GSS-CHANNEL-BINDINGS. than some encoding of GSS-CHANNEL-BINDINGS.
GSS-API mechanisms MAY use the [RFC1964] encoding of channel GSS-API mechanisms MAY use the [RFC1964] encoding of channel
bindings. bindings.
4. Security Considerations 5. IANA Considerations
There are no IANA considerations in this document.
6. Security Considerations
For general security considerations relating to channel bindings see For general security considerations relating to channel bindings see
[RFC5056]. [RFC5056].
Language bindings that use OCTET STRING (or equivalent) for channel Language bindings that use OCTET STRING (or equivalent) for channel
bindings will not support the use of network addresses as channel bindings will not support the use of network addresses as channel
bindings. This should not cause any security problems, as the use of bindings. This should not cause any security problems, as the use of
network addresses as channel bindings is not generally secure. network addresses as channel bindings is not generally secure.
However, it is important that "end-point channel bindings" not be However, it is important that "end-point channel bindings" not be
modelled as network addresses, otherwise such channel bindings may modelled as network addresses, otherwise such channel bindings may
not be useable with all language bindings of the GSS-API. not be useable with all language bindings of the GSS-API.
5. Normative References 7. Normative References
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June 1996. RFC 1964, June 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
 End of changes. 8 change blocks. 
14 lines changed or deleted 34 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/