summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-domain-based-names-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-domain-based-names-01.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-domain-based-names-01.txt617
1 files changed, 617 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-domain-based-names-01.txt b/third_party/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-domain-based-names-01.txt
new file mode 100644
index 00000000000..50cd5b9d9ca
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-domain-based-names-01.txt
@@ -0,0 +1,617 @@
+
+
+
+NETWORK WORKING GROUP N. Williams
+Internet-Draft Sun
+Expires: April 19, 2006 October 16, 2005
+
+
+ GSS-API Domain-Based Service Names and Name Type
+ draft-ietf-kitten-gssapi-domain-based-names-01.txt
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on April 19, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2005).
+
+Abstract
+
+ This document describes domainname-based service principal names and
+ the corresponding name type for the Generic Security Service
+ Application Programming Interface (GSS-API).
+
+ Domain-based service names are similar to host-based service names,
+ but using a domain name (not necessarily and Internat domain name)
+ instead of or in addition to a hostname. The primary purpose of
+ domain-based service names is to provide a way to name clustered
+ services after the domain which they service, thereby allowing their
+
+
+
+Williams Expires April 19, 2006 [Page 1]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+ clients to authorize the service's servers based on authentication of
+ their names.
+
+
+Table of Contents
+
+ 1. Conventions used in this document . . . . . . . . . . . . . 3
+ 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3. Name Type OID and Symbolic Name . . . . . . . . . . . . . . 5
+ 4. Query and Display Syntaxes . . . . . . . . . . . . . . . . . 6
+ 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . 8
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 7.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 7.2. Informative . . . . . . . . . . . . . . . . . . . . . . . . 9
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . 10
+ Intellectual Property and Copyright Statements . . . . . . . 11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 2]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+1. Conventions used in this document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 3]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+2. Introduction
+
+ The use of hostbased principal names for domain-wide services
+ presents the problem of how to distinguish between an instance of a
+ hostbased service that is authorized to respond for a domain and one
+ that isn't.
+
+ Consider LDAP. LDAP [RFC3377] with SASL [RFC2222] and the Kerberos V
+ mechanism [RFC1964] for the GSS-API [RFC2743] uses a hostbased
+ principal with a service name of "ldap", a reasonable approach,
+ provided there is only one logical LDAP directory in a Kerberos
+ realm's domain, and that all ldap servers in that realm serve that
+ one LDAP directory. If there were other LDAP directories, then
+ clients could not tell which service is authorized to serve which
+ directory, not without assuming a secure method for finding LDAP
+ servers (e.g., DNSSEC). This is a significant, and oft-unstated
+ restriction on users of LDAP.
+
+ Domain based names can eliminate this problem by allowing LDAP
+ service names to indicate which LDAP directory they are authorized to
+ serve.
+
+ A domain-based name consists of three required elements:
+
+ o a service name
+
+ o a domain name
+
+ o a hostname
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 4]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+3. Name Type OID and Symbolic Name
+
+ The new name type has an OID of
+
+ [NOTE: OID assignment to be made with IANA.]
+
+ {iso(1) org(3) dod(6) internet(1) security(5) nametypes(6) gss-
+ domain-based(5)}
+
+ The recommended symbolic name for this GSS-API name type is
+ "GSS_C_NT_DOMAINBASED_SERVICE".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 5]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+4. Query and Display Syntaxes
+
+ There is a single name syntax for domain-based names.
+
+ The syntax is:
+
+ domain-based-name :=
+
+ | <service> '@' <domain> '@' <hostname>
+
+ Note that for Internet domain names the trailing '.' is not and MUST
+ NOT be included in the domain name (or hostname) parts of the display
+ form GSS-API domain-based MNs.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 6]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+5. Examples
+
+ o ldap@example.tld@ds1.example.tld
+
+ o kadmin@example.tld@kdc1.example.tld
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 7]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+6. Security Considerations
+
+ Use of GSS-API domain-based names may not be negotiable by some GSS-
+ API mechanisms, and some acceptors may not support GSS-API domain-
+ based names. In such cases initiators are left to fallback on the
+ use of hostbased names, in which case the initiators MUST also verify
+ that the acceptor's hostbased name is authorized to provide the given
+ service for the domain that the initiator had wanted.
+
+ The above security consideration also applies to all GSS-API
+ initiators who lack support for domain-based service names.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 8]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+7. References
+
+7.1. Normative
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+7.2. Informative
+
+ [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+ RFC 1964, June 1996.
+
+ [RFC2222] Myers, J., "Simple Authentication and Security Layer
+ (SASL)", RFC 2222, October 1997.
+
+ [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
+ Protocol (v3): Technical Specification", RFC 3377,
+ September 2002.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 9]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+Author's Address
+
+ Nicolas Williams
+ Sun Microsystems
+ 5300 Riata Trace Ct
+ Austin, TX 78727
+ US
+
+ Email: Nicolas.Williams@sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Expires April 19, 2006 [Page 10]
+
+Internet-Draft GSS Domain Based Names October 2005
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2005). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Williams Expires April 19, 2006 [Page 11]
+
+
View Lorry Controller Status