draft-ietf-kitten-gssapi-naming-exts-09.txt   draft-ietf-kitten-gssapi-naming-exts-10.txt 
KITTEN WORKING GROUP N. Williams KITTEN WORKING GROUP N. Williams
Internet-Draft Sun Internet-Draft Sun
Intended status: Standards Track L. Johansson Intended status: Standards Track L. Johansson
Expires: August 10, 2011 SUNET Expires: November 23, 2011 SUNET
February 6, 2011 S. Hartman
Painless Security
May 22, 2011
GSS-API Naming Extensions GSS-API Naming Extensions
draft-ietf-kitten-gssapi-naming-exts-09 draft-ietf-kitten-gssapi-naming-exts-10
Abstract Abstract
The Generic Security Services API (GSS-API) provides a simple naming The Generic Security Services API (GSS-API) provides a simple naming
architecture that supports name-based authorization. This document architecture that supports name-based authorization. This document
introduces new APIs that extend the GSS-API naming model to support introduces new APIs that extend the GSS-API naming model to support
name attribute transfer between GSS-API peers. name attribute transfer between GSS-API peers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 10, 2011. This Internet-Draft will expire on November 23, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 28
Table of Contents Table of Contents
1. Conventions used in this document . . . . . . . . . . . . 3 1. Conventions used in this document . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
3. Name Attribute Authenticity . . . . . . . . . . . . . . . 3 3. Name Attribute Authenticity . . . . . . . . . . . . . . . 3
4. Name Attributes/Values as ACL Subjects . . . . . . . . . . 4 4. Name Attributes/Values as ACL Subjects . . . . . . . . . . 4
5. Naming Contexts . . . . . . . . . . . . . . . . . . . . . 4 5. Naming Contexts . . . . . . . . . . . . . . . . . . . . . 4
6. Representation of Attribute Names . . . . . . . . . . . . 6 6. Representation of Attribute Names . . . . . . . . . . . . 6
7. API . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. API . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1. GSS_Display_name_ext() . . . . . . . . . . . . . . . . . . 7 7.1. SET OF OCTET STRING . . . . . . . . . . . . . . . . . . . 7
7.1.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 8 7.2. GSS_Display_name_ext() . . . . . . . . . . . . . . . . . . 7
7.2. GSS_Inquire_name() . . . . . . . . . . . . . . . . . . . . 8
7.2.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 8 7.2.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 8
7.3. GSS_Get_name_attribute() . . . . . . . . . . . . . . . . . 9 7.3. GSS_Inquire_name() . . . . . . . . . . . . . . . . . . . . 8
7.3.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 10 7.3.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 9
7.4. GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . 10 7.4. GSS_Get_name_attribute() . . . . . . . . . . . . . . . . . 9
7.4.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 11 7.4.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 10
7.5. GSS_Delete_name_attribute() . . . . . . . . . . . . . . . 12 7.5. GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . 11
7.5.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 12 7.5.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 12
7.6. GSS_Export_name_composite() . . . . . . . . . . . . . . . 12 7.6. GSS_Delete_name_attribute() . . . . . . . . . . . . . . . 12
7.6.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 13 7.6.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 13
8. IANA Considerations . . . . . . . . . . . . . . . . . . . 13 7.7. GSS_Export_name_composite() . . . . . . . . . . . . . . . 13
9. Security Considerations . . . . . . . . . . . . . . . . . 13 7.7.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . 14
10.1. Normative References . . . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . 14
10. References . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . . 15 10.2. Informative References . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . 16
1. Conventions used in this document 1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] . document are to be interpreted as described in [RFC2119] .
2. Introduction 2. Introduction
As described in [RFC4768] the GSS-API's naming architecture suffers As described in [RFC4768] the GSS-API's naming architecture suffers
skipping to change at page 6, line 17 skipping to change at page 6, line 17
interoperability and usability. Using a local attribute in an interoperability and usability. Using a local attribute in an
application requires knowledge of the local implementation. However application requires knowledge of the local implementation. However
using a standardized attribute in an application requires more using a standardized attribute in an application requires more
knowledge of policy and more validation logic in the application. knowledge of policy and more validation logic in the application.
Sharing this logic in the local platform provides more consistency Sharing this logic in the local platform provides more consistency
across applications as well as reducing implementation costs. Both across applications as well as reducing implementation costs. Both
options are needed. options are needed.
6. Representation of Attribute Names 6. Representation of Attribute Names
Different underlying mechanisms provide different representations for Different underlying mechanisms (eg SAML or X.509 certificates)
the names of their attribute. In X.509 certificates, most objects provide different representations for the names of their attribute.
are named by object identifiers (OIDs). The type of object In X.509 certificates, most objects are named by object identifiers
(certificate extension, name constraint, keyPurposeID, etc) along (OIDs). The type of object (certificate extension, name constraint,
with the OID is sufficient to identify the attribute. In contrast, keyPurposeID, etc) along with the OID is sufficient to identify the
according to Section 8.2 and 2.7.3.1 of [OASIS.saml-core-2.0-os], the attribute. By contrast, according to Section 8.2 and 2.7.3.1 of
name of an attribute has two parts. The first is a URI describing [OASIS.saml-core-2.0-os], the name of an attribute has two parts.
the format of the name. The second part, whose form depends on the The first is a URI describing the format of the name. The second
format URI, is the actual name. In other cases an attribute might part, whose form depends on the format URI, is the actual name. In
represent a certificate that plays some particular role in a GSS-API other cases an attribute might represent a certificate that plays
mechanism; such attributes might have a simple mechanism-defined some particular role in a GSS-API mechanism; such attributes might
name. have a simple mechanism-defined name.
Attribute names MUST support multiple components. If there are more Attribute names MUST support multiple components. If there are more
than one component in an attribute name, the more significant than one component in an attribute name, the more significant
components define the semantics of the less significant components. components define the semantics of the less significant components.
Attribute names are represented as STRING elements in the API Attribute names are represented as STRING elements in the API
described below. These attribute names have syntax and semantics described below. These attribute names have syntax and semantics
that are understood by the application and by the lower-layer that are understood by the application and by the lower-layer
implementations (some of which are described below). implementations (some of which are described below).
skipping to change at page 7, line 21 skipping to change at page 7, line 21
assertion could appear to be a name from another mechanism or assertion could appear to be a name from another mechanism or
context. Typically a SAML attribute name would include a prefix context. Typically a SAML attribute name would include a prefix
describing the trust model and other context of the attribute name. describing the trust model and other context of the attribute name.
Local attribute names under the control of an administrator or a Local attribute names under the control of an administrator or a
sufficiently trusted part of the platform need not have a prefix to sufficiently trusted part of the platform need not have a prefix to
describe context. describe context.
7. API 7. API
7.1. GSS_Display_name_ext() 7.1. SET OF OCTET STRING
The construct SET OF OCTET string occurs once in RFC 2743 [RFC2743]
where it is used to represent a set of status strings in the
GSS_Display_status call. That specification does not mention
directly how the type is represented. The global grid forum has
defined SET OF OCTET STRING as a buffer-set type in GFD.024 [GFD.024]
which also provides an API for memory management of these structures.
Implementations of this specification must implement the SET OF OCTET
STRING type and associated memory management from GFD.024 [GFD.024].
7.2. GSS_Display_name_ext()
Inputs: Inputs:
o name NAME, o name INTERNAL NAME,
o display_as_name_type OBJECT IDENTIFIER o display_as_name_type OBJECT IDENTIFIER
Outputs: Outputs:
o major_status INTEGER, o major_status INTEGER,
o minor_status INTEGER, o minor_status INTEGER,
o display_name STRING o display_name OCTET STRING -- caller must release with
GSS_Release_buffer()
Return major_status codes: Return major_status codes:
o GSS_S_COMPLETE indicates no error. o GSS_S_COMPLETE indicates no error.
o GSS_S_UNAVAILABLE indicates that the given name could not be o GSS_S_UNAVAILABLE indicates that the given name could not be
displayed using the syntax of the given name type. displayed using the syntax of the given name type.
o GSS_S_FAILURE indicates a general error. o GSS_S_FAILURE indicates a general error.
This function displays a given name using the given name syntax, if This function displays a given name using the given name syntax, if
possible. This operation may require mapping MNs to generic name possible. This operation may require mapping MNs to generic name
syntaxes or generic name syntaxes to mechanism-specific name syntaxes or generic name syntaxes to mechanism-specific name
syntaxes; such mappings may not always be feasible and MAY be inexact syntaxes; such mappings may not always be feasible and MAY be inexact
or lossy, therefore this function may fail. or lossy, therefore this function may fail.
7.1.1. C-Bindings 7.2.1. C-Bindings
OM_uint32 GSS_Display_name_ext( OM_uint32 gss_display_name_ext(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_name_t name, gss_name_t name,
gss_OID display_as_name_type, gss_OID display_as_name_type,
gss_buffer_t display_name gss_buffer_t display_name
); );
7.2. GSS_Inquire_name() 7.3. GSS_Inquire_name()
Inputs: Inputs:
o name NAME o name INTERNAL NAME
Outputs: Outputs:
o major_status INTEGER, o major_status INTEGER,
o minor_status INTEGER, o minor_status INTEGER,
o name_is_MN BOOLEAN, o name_is_MN BOOLEAN,
o mn_mech OBJECT IDENTIFIER, o mn_mech OBJECT IDENTIFIER,
o attrs SET OF OCTET STRING o attrs SET OF OCTET STRING -- the caller is responsible for de-
allocating memory using GSS_Release_buffer_set defined in GFD.024
[GFD.024]
Return major_status codes: Return major_status codes:
o GSS_S_COMPLETE indicates no error. o GSS_S_COMPLETE indicates no error.
o GSS_S_FAILURE indicates a general error. o GSS_S_FAILURE indicates a general error.
This function outputs the set (represented as a NULL terminated array This function outputs the set of attributes of a name. It also
of gss_buffer_t) of attributes of a name. It also indicates if a indicates if a given name is an MN or not and, if it is, what
given NAME is an MN or not and, if it is, what mechanism it's an MN mechanism it's an MN of.
of. The gss_buffer_set_t type and associated API is defined in
[GFD.024]
7.2.1. C-Bindings 7.3.1. C-Bindings
OM_uint32 gss_inquire_name( OM_uint32 gss_inquire_name(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_name_t name, gss_name_t name,
int name_is_MN, int *name_is_MN,
gss_OID *MN_mech, gss_OID *MN_mech,
gss_buffer_set_t *attrs gss_buffer_set_t *attrs
); );
7.3. GSS_Get_name_attribute() The gss_buffer_set_t is the C representation of SET OF OCTET STRING.
This type is used to represent a set of attributes and is a NULL-
terminated array of gss_buffer_t. The gss_buffer_set_t type and
associated API is defined in GFD.024 [GFD.024].
7.4. GSS_Get_name_attribute()
Inputs: Inputs:
o name NAME, o name INTERNAL NAME,
o attr STRING o attr STRING
Outputs: Outputs:
o major_status INTEGER, o major_status INTEGER,
o minor_status INTEGER, o minor_status INTEGER,
o authenticated BOOLEAN, -- TRUE iff authenticated by the trusted o authenticated BOOLEAN, -- TRUE iff authenticated by the trusted
peer credential source. peer credential source.
o complete BOOLEAN -- TRUE iff this represents a complete set of o complete BOOLEAN -- TRUE iff this represents a complete set of
values for the name. values for the name.
o values SET OF OCTET STRING, o values SET OF OCTET STRING -- the caller is responsible for de-
allocating memory using GSS_Release_buffer_set defined in GFD.024
[GFD.024].
o display_values SET OF STRING o display_values SET OF STRING -- the caller is responsible for de-
allocating memory using GSS_Release_buffer
Return major_status codes: Return major_status codes:
o GSS_S_COMPLETE indicates no error. o GSS_S_COMPLETE indicates no error.
o GSS_S_UNAVAILABLE indicates that the given attribute OID is not o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
known or set. known or set.
o GSS_S_FAILURE indicates a general error. o GSS_S_FAILURE indicates a general error.
skipping to change at page 10, line 16 skipping to change at page 10, line 36
attributes about a name this flag may be highly dangerous and SHOULD attributes about a name this flag may be highly dangerous and SHOULD
NOT be used. NOT be used.
NOTE: This function relies on the GSS-API notion of "SET OF" allowing NOTE: This function relies on the GSS-API notion of "SET OF" allowing
for order preservation; this has been discussed on the KITTEN WG for order preservation; this has been discussed on the KITTEN WG
mailing list and the consensus seems to be that, indeed, that was mailing list and the consensus seems to be that, indeed, that was
always the intention. It should be noted however that the order always the intention. It should be noted however that the order
presented does not always reflect an underlying order of the presented does not always reflect an underlying order of the
mechanism specific source of the attribute values. mechanism specific source of the attribute values.
7.3.1. C-Bindings 7.4.1. C-Bindings
The C-bindings of GSS_Get_name_attribute() requires one function call The C-bindings of GSS_Get_name_attribute() requires one function call
per-attribute value, for multi-valued name attributes. This is done per-attribute value, for multi-valued name attributes. This is done
by using a single gss_buffer_t for each value and an input/output by using a single gss_buffer_t for each value and an input/output
integer parameter to distinguish initial and subsequent calls and to integer parameter to distinguish initial and subsequent calls and to
indicate when all values have been obtained. indicate when all values have been obtained.
The 'more' input/output parameter should point to an integer variable The 'more' input/output parameter should point to an integer variable
whose value, on first call to gss_name_attribute_get() MUST be -1, whose value, on first call to gss_name_attribute_get() MUST be -1,
and whose value upon function call return will be non-zero to and whose value upon function call return will be non-zero to
skipping to change at page 10, line 44 skipping to change at page 11, line 16
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_name_t name, gss_name_t name,
gss_buffer_t attr, gss_buffer_t attr,
int *authenticated, int *authenticated,
int *complete, int *complete,
gss_buffer_t value, gss_buffer_t value,
gss_buffer_t display_value, gss_buffer_t display_value,
int *more int *more
); );
7.4. GSS_Set_name_attribute() 7.5. GSS_Set_name_attribute()
Inputs: Inputs:
o name NAME, o name INTERNAL NAME,
o complete BOOLEAN, -- TRUE iff this represents a complete set of o complete BOOLEAN, -- TRUE iff this represents a complete set of
values for the name. values for the name.
o attr STRING, o attr OCTET STRING,
o values SET OF OCTET STRING o values SET OF OCTET STRING
Outputs: Outputs:
o major_status INTEGER, o major_status INTEGER,
o minor_status INTEGER o minor_status INTEGER
Return major_status codes: Return major_status codes:
skipping to change at page 11, line 39 skipping to change at page 12, line 12
In the federated case when several peers may hold some of the In the federated case when several peers may hold some of the
attributes about a name this flag may be highly dangerous and SHOULD attributes about a name this flag may be highly dangerous and SHOULD
NOT be used. NOT be used.
NOTE: This function relies on the GSS-API notion of "SET OF" allowing NOTE: This function relies on the GSS-API notion of "SET OF" allowing
for order preservation; this has been discussed on the KITTEN WG for order preservation; this has been discussed on the KITTEN WG
mailing list and the consensus seems to be that, indeed, that was mailing list and the consensus seems to be that, indeed, that was
always the intention. It should be noted that underlying mechanisms always the intention. It should be noted that underlying mechanisms
may not respect the given order. may not respect the given order.
7.4.1. C-Bindings 7.5.1. C-Bindings
The C-bindings of GSS_Set_name_attribute() requires one function call The C-bindings of GSS_Set_name_attribute() requires one function call
per-attribute value, for multi-valued name attributes -- each call per-attribute value, for multi-valued name attributes -- each call
adds one value. To replace an attribute's every value delete the adds one value. To replace an attribute's every value delete the
attribute's values first with GSS_Delete_name_attribute(). attribute's values first with GSS_Delete_name_attribute().
OM_uint32 gss_set_name_attribute( OM_uint32 gss_set_name_attribute(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_name_t name, gss_name_t name,
int complete, int complete,
skipping to change at page 12, line 4 skipping to change at page 12, line 25
per-attribute value, for multi-valued name attributes -- each call per-attribute value, for multi-valued name attributes -- each call
adds one value. To replace an attribute's every value delete the adds one value. To replace an attribute's every value delete the
attribute's values first with GSS_Delete_name_attribute(). attribute's values first with GSS_Delete_name_attribute().
OM_uint32 gss_set_name_attribute( OM_uint32 gss_set_name_attribute(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_name_t name, gss_name_t name,
int complete, int complete,
gss_buffer_t attr, gss_buffer_t attr,
gss_buffer_t value gss_buffer_t value
); );
7.5. GSS_Delete_name_attribute() 7.6. GSS_Delete_name_attribute()
Inputs: Inputs:
o name NAME, o name INTERNAL NAME,
o attr STRING, o attr STRING,
Outputs: Outputs:
o major_status INTEGER, o major_status INTEGER,
o minor_status INTEGER o minor_status INTEGER
Return major_status codes: Return major_status codes:
skipping to change at page 12, line 36 skipping to change at page 13, line 10
known. known.
o GSS_S_UNAUTHORIZED indicates that a forbidden delete operation was o GSS_S_UNAUTHORIZED indicates that a forbidden delete operation was
attempted eg deleting a negative attribute. attempted eg deleting a negative attribute.
o GSS_S_FAILURE indicates a general error. o GSS_S_FAILURE indicates a general error.
Deletion of negative authenticated attributes from NAME objects MUST Deletion of negative authenticated attributes from NAME objects MUST
NOT be allowed and must result in a GSS_S_UNAUTHORIZED. NOT be allowed and must result in a GSS_S_UNAUTHORIZED.
7.5.1. C-Bindings 7.6.1. C-Bindings
OM_uint32 gss_delete_name_attribute( OM_uint32 gss_delete_name_attribute(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_name_t name, gss_name_t name,
gss_buffer_t attr gss_buffer_t attr
); );
7.6. GSS_Export_name_composite() 7.7. GSS_Export_name_composite()
Inputs: Inputs:
o name NAME o name INTERNAL NAME
Outputs: Outputs:
o major_status INTEGER, o major_status INTEGER,
o minor_status INTEGER, o minor_status INTEGER,
o exp_composite_name OCTET STRING o exp_composite_name OCTET STRING -- the caller is responsible for
de-allocating memory using GSS_Release_buffer
Return major_status codes: Return major_status codes:
o GSS_S_COMPLETE indicates no error. o GSS_S_COMPLETE indicates no error.
o GSS_S_FAILURE indicates a general error. o GSS_S_FAILURE indicates a general error.
This function outputs a token which can be imported with This function outputs a token which can be imported with
GSS_Import_name(), using GSS_C_NT_COMPOSITE_EXPORT as the name type GSS_Import_name(), using GSS_C_NT_COMPOSITE_EXPORT as the name type
and which preserves any name attribute information associated with and which preserves any name attribute information associated with
the input name (which GSS_Export_name() may well not). The token the input name (which GSS_Export_name() may well not). The token
format is no specified here as this facility is intended for inter- format is no specified here as this facility is intended for inter-
process communication only; however, all such tokens MUST start with process communication only; however, all such tokens MUST start with
a two-octet token ID, hex 04 02, in network byte order. a two-octet token ID, hex 04 02, in network byte order.
The OID for GSS_C_NT_COMPOSITE_EXPORT is <TBD>. The OID for GSS_C_NT_COMPOSITE_EXPORT is <TBD>.
7.6.1. C-Bindings 7.7.1. C-Bindings
OM_uint32 gss_export_name_composite( OM_uint32 gss_export_name_composite(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_name_t name, gss_name_t name,
gss_buffer_t exp_composite_name gss_buffer_t exp_composite_name
); );
8. IANA Considerations 8. IANA Considerations
This document creates a namespace of GSS-API name attributes. This document creates a namespace of GSS-API name attributes.
Attributes are named by URIs, so no single authority is technically Attributes are named by URIs, so no single authority is technically
skipping to change at page 16, line 4 skipping to change at page 16, line 24
Austin, TX 78727 Austin, TX 78727
US US
Email: Nicolas.Williams@sun.com Email: Nicolas.Williams@sun.com
Leif Johansson Leif Johansson
Swedish University Network Swedish University Network
Thulegatan 11 Thulegatan 11
Stockholm Stockholm
Sweden Sweden
Email: leifj@sunet.se Email: leifj@sunet.se
URI: http://www.sunet.se URI: http://www.sunet.se
Sam Hartman
Painless Security
Phone:
Fax:
Email: hartmans-ietf@mit.edu
URI:
 End of changes. 39 change blocks. 
63 lines changed or deleted 87 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/