draft-ietf-kitten-gssapi-domain-based-names-01.txt   draft-ietf-kitten-gssapi-domain-based-names-02.txt 
NETWORK WORKING GROUP N. Williams NETWORK WORKING GROUP N. Williams
Internet-Draft Sun Internet-Draft Sun
Expires: April 19, 2006 October 16, 2005 Expires: December 28, 2006 June 26, 2006
GSS-API Domain-Based Service Names and Name Type GSS-API Domain-Based Service Names and Name Type
draft-ietf-kitten-gssapi-domain-based-names-01.txt draft-ietf-kitten-gssapi-domain-based-names-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 19, 2006. This Internet-Draft will expire on December 28, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document describes domainname-based service principal names and This document describes domainname-based service principal names and
the corresponding name type for the Generic Security Service the corresponding name type for the Generic Security Service
Application Programming Interface (GSS-API). Application Programming Interface (GSS-API).
Domain-based service names are similar to host-based service names, Domain-based service names are similar to host-based service names,
but using a domain name (not necessarily and Internat domain name) but using a domain name (not necessarily an Internet domain name)
instead of or in addition to a hostname. The primary purpose of instead of or in addition to a hostname. The primary purpose of
domain-based service names is to provide a way to name clustered domain-based service names is to provide a way to name clustered
services after the domain which they service, thereby allowing their services after the domain which they service, thereby allowing their
clients to authorize the service's servers based on authentication of clients to authorize the service's servers based on authentication of
their names. their names.
Table of Contents Table of Contents
1. Conventions used in this document . . . . . . . . . . . . . 3 1. Conventions used in this document . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
skipping to change at page 4, line 17 skipping to change at page 4, line 17
The use of hostbased principal names for domain-wide services The use of hostbased principal names for domain-wide services
presents the problem of how to distinguish between an instance of a presents the problem of how to distinguish between an instance of a
hostbased service that is authorized to respond for a domain and one hostbased service that is authorized to respond for a domain and one
that isn't. that isn't.
Consider LDAP. LDAP [RFC3377] with SASL [RFC2222] and the Kerberos V Consider LDAP. LDAP [RFC3377] with SASL [RFC2222] and the Kerberos V
mechanism [RFC1964] for the GSS-API [RFC2743] uses a hostbased mechanism [RFC1964] for the GSS-API [RFC2743] uses a hostbased
principal with a service name of "ldap", a reasonable approach, principal with a service name of "ldap", a reasonable approach,
provided there is only one logical LDAP directory in a Kerberos provided there is only one logical LDAP directory in a Kerberos
realm's domain, and that all ldap servers in that realm serve that realm's domain, and that all ldap servers in that realm serve that
one LDAP directory. If there were other LDAP directories, then one LDAP directory. An network might have multiple, distinct LDAP
clients could not tell which service is authorized to serve which services, but only one LDAP "name service"; if so then clients could
not tell which LDAP service principals are authorized to serve which
directory, not without assuming a secure method for finding LDAP directory, not without assuming a secure method for finding LDAP
servers (e.g., DNSSEC). This is a significant, and oft-unstated servers (e.g., DNSSEC). This is a significant, and oft-unstated
restriction on users of LDAP. restriction on users of LDAP.
Domain based names can eliminate this problem by allowing LDAP Domain based names can eliminate this problem: the use of domain-
service names to indicate which LDAP directory they are authorized to based names should imply that the given host is a server for the
serve. official LDAP name service of the given domain.
Notwithstanding the LDAP example the use of domain-based principal
names for LDAP is not actually specified here and will be specified
in a separate document.
A domain-based name consists of three required elements: A domain-based name consists of three required elements:
o a service name o a service name
o a domain name o a domain name
o a hostname o a hostname
3. Name Type OID and Symbolic Name 3. Name Type OID and Symbolic Name
skipping to change at page 11, line 41 skipping to change at page 11, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 8 change blocks. 
11 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/