draft-ietf-kitten-gssapi-channel-bindings-04.txt   draft-ietf-kitten-gssapi-channel-bindings-05.txt 
KITTEN WG N. Williams KITTEN WG N. Williams
Internet-Draft Sun Internet-Draft Sun
Intended status: Standards Track March 13, 2008 Intended status: Standards Track September 23, 2008
Expires: September 14, 2008 Expires: March 27, 2009
Clarifications and Extensions to the GSS-API for the Use of Channel Clarifications and Extensions to the GSS-API for the Use of Channel
Bindings Bindings
draft-ietf-kitten-gssapi-channel-bindings-04.txt draft-ietf-kitten-gssapi-channel-bindings-05.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 14, 2008. This Internet-Draft will expire on March 27, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document clarifies and generalizes the Generic Security Services This document clarifies and generalizes the Generic Security Services
Application Programming Interface (GSS-API) "channel bindings" Application Programming Interface (GSS-API) "channel bindings"
facility, and imposes requirements on future GSS-API mechanisms and facility, and imposes requirements on future GSS-API mechanisms and
skipping to change at page 6, line 13 skipping to change at page 6, line 13
mechanisms that support channel binding MUST conform to [RFC5056]. mechanisms that support channel binding MUST conform to [RFC5056].
4. Generic Structure for GSS-API Channel Bindings 4. Generic Structure for GSS-API Channel Bindings
The base GSS-API v2, update 1 specification [RFC2743] provides a The base GSS-API v2, update 1 specification [RFC2743] provides a
facility for channel binding. It models channel bindings as an OCTET facility for channel binding. It models channel bindings as an OCTET
STRING and leaves it to the GSS-API v2, update 1 C-Bindings STRING and leaves it to the GSS-API v2, update 1 C-Bindings
specification to specify the structure of the contents of the channel specification to specify the structure of the contents of the channel
bindings OCTET STRINGs. The C-Bindings specification [RFC2744]then bindings OCTET STRINGs. The C-Bindings specification [RFC2744]then
defines, in terms of C, what should have been a generic structure for defines, in terms of C, what should have been a generic structure for
channel bindings. The Kerberos V GSS mechanism [RFC1964]then defines channel bindings. The Kerberos V GSS mechanism [RFC4121] also
a method for encoding GSS channel bindings in a way that is defines a method for encoding GSS channel bindings in a way that is
independent of the C-Bindings -- otherwise the mechanism's channel independent of the C-Bindings -- otherwise the mechanism's channel
binding facility would not be useable with other language bindings. binding facility would not be useable with other language bindings.
In other words, the structure of GSS channel bindings given in In other words, the structure of GSS channel bindings given in
[RFC2744] is actually generic, rather than specific to the C [RFC2744] is actually generic, rather than specific to the C
programming language. programming language.
Here, then, is a generic re-statement of this structure, in pseudo- Here, then, is a generic re-statement of this structure, in pseudo-
ASN.1: ASN.1:
GSS-CHANNEL-BINDINGS := SEQUENCE { GSS-CHANNEL-BINDINGS ::= SEQUENCE {
initiator-address-type INTEGER, initiator-address-type INTEGER, -- See RFC2744
initiator-address OCTET STRING, initiator-address OCTET STRING, -- See RFC2744
acceptor-address-type INTEGER, acceptor-address-type INTEGER, -- See RFC2744
acceptor-address OCTET STRING, acceptor-address OCTET STRING, -- See RFC2744
application-data OCTET STRING, application-data OCTET STRING, -- See RFC5056
} }
The values for the address fields are described in [RFC2744]. The values for the address fields are described in [RFC2744].
New language-specific bindings of the GSS-API SHOULD specify a New language-specific bindings of the GSS-API SHOULD specify a
language-specific formulation of this structure. language-specific formulation of this structure.
Where a language binding of the GSS-API models channel bindings as Where a language binding of the GSS-API models channel bindings as
OCTET STRINGs (or the language's equivalent), then the implementation OCTET STRINGs (or the language's equivalent), then the implementation
MUST assume that the given bindings correspond only to the MUST assume that the given bindings correspond only to the
application-data field of GSS-CHANNEL-BINDINGS as shown above, rather application-data field of GSS-CHANNEL-BINDINGS as shown above, rather
than some encoding of GSS-CHANNEL-BINDINGS. than some encoding of GSS-CHANNEL-BINDINGS.
GSS-API mechanisms MAY use the [RFC1964] encoding of channel As mentioned above, [RFC4121] describes an encoding of the above GSS-
bindings. CHANNEL-BINDINGS structure, and then hashes that encoding. Other
GSS-API mechanisms are free to use that encoding.
5. IANA Considerations 5. IANA Considerations
There are no IANA considerations in this document. There are no IANA considerations in this document.
6. Security Considerations 6. Security Considerations
For general security considerations relating to channel bindings see For general security considerations relating to channel bindings see
[RFC5056]. [RFC5056].
Language bindings that use OCTET STRING (or equivalent) for channel Language bindings that use OCTET STRING (or equivalent) for channel
bindings will not support the use of network addresses as channel bindings will not support the use of network addresses as channel
bindings. This should not cause any security problems, as the use of bindings. This should not cause any security problems, as the use of
network addresses as channel bindings is not generally secure. network addresses as channel bindings is not generally secure.
However, it is important that "end-point channel bindings" not be However, it is important that "end-point channel bindings" not be
modelled as network addresses, otherwise such channel bindings may modelled as network addresses, otherwise such channel bindings may
not be useable with all language bindings of the GSS-API. not be useable with all language bindings of the GSS-API.
7. Normative References 7. Normative References
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2744] Wray, J., "Generic Security Service API Version 2 : [RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000. C-bindings", RFC 2744, January 2000.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121,
July 2005.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007. Channels", RFC 5056, November 2007.
Author's Address Author's Address
Nicolas Williams Nicolas Williams
Sun Microsystems Sun Microsystems
5300 Riata Trace Ct 5300 Riata Trace Ct
Austin, TX 78727 Austin, TX 78727
US US
 End of changes. 8 change blocks. 
17 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/