summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-03.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-03.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-03.txt616
1 files changed, 616 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-03.txt b/third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-03.txt
new file mode 100644
index 00000000000..e4c07b1db79
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-03.txt
@@ -0,0 +1,616 @@
+
+
+
+
+Kerberos Working Group A. Perez-Mendez
+Internet-Draft Jisc
+Intended status: Experimental R. Marin-Lopez
+Expires: 27 March 2022 University of Murcia
+ F. Pereniguez-Garcia
+ University Defense Center
+ G. Lopez-Millan
+ University of Murcia
+ L. Howard-Bentata
+ PADL Software Pty Ltd
+ September 2021
+
+
+ GSS-API pre-authentication for Kerberos
+ draft-perez-krb-wg-gss-preauth-03
+
+Abstract
+
+ This document describes a pre-authentication mechanism for Kerberos
+ based on the Generic Security Service Application Program Interface
+ (GSS-API), which allows a Key Distribution Center (KDC) to
+ authenticate clients by using a GSS mechanism.
+
+Status of This Memo
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at https://datatracker.ietf.org/drafts/current/.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ This Internet-Draft will expire on 5 March 2022.
+
+Copyright Notice
+
+ Copyright (c) 2021 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents (https://trustee.ietf.org/
+ license-info) in effect on the date of publication of this document.
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 1]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document. Code Components
+ extracted from this document must include Simplified BSD License text
+ as described in Section 4.e of the Trust Legal Provisions and are
+ provided without warranty as described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
+ 2. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2.1. Cookie Support . . . . . . . . . . . . . . . . . . . . . 3
+ 2.2. More Pre-Authentication Data Required . . . . . . . . . . 3
+ 2.3. Support for Exporting Partially Established Contexts . . 4
+ 2.4. Processing of Channel Bindings in Single Round-Trip . . . 4
+ 3. Definition of the GSS padata . . . . . . . . . . . . . . . . 4
+ 4. GSS-API Pre-authentication Operation . . . . . . . . . . . . 4
+ 4.1. Kerberos client (GSS-API initiator) . . . . . . . . . . . 4
+ 4.2. KDC (GSS-API acceptor) . . . . . . . . . . . . . . . . . 5
+ 5. Indication of Supported Mechanisms . . . . . . . . . . . . . 6
+ 6. Reply Key Derivation . . . . . . . . . . . . . . . . . . . . 7
+ 7. Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 8. Anonymous Authentication . . . . . . . . . . . . . . . . . . 8
+ 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8
+ 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
+ 11. Normative References . . . . . . . . . . . . . . . . . . . . 9
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
+
+1. Introduction
+
+ The Generic Security Service Application Programming Interface (GSS-
+ API) [RFC2743] provides a framework for authentication and message
+ protection services through a common programming interface, allowing
+ applications to remain agnostic from the selected mechanism.
+
+ Kerberos [RFC4120] is an authentication service based on the Needham-
+ Schroeder symmetric key protocol. It includes a facility called pre-
+ authentication designed to ensure clients prove knowledge of their
+ long-term key before the Key Distribution Center (KDC) issues a
+ ticket. Typical pre-authentication mechanisms include encrypted
+ timestamp [RFC4120] and public key certificates [RFC4556]. Pre-
+ authentication data in these messages provides a typed hole for
+ exchanging information used to authenticate the client.
+
+ [RFC6113] specifies a framework for pre-authentication in Kerberos,
+ describing the features such a pre-authentication mechanism may
+ provide such as authenticating the client and/or KDC and
+ strengthening or replacing the reply key in the AS-REP. FAST
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 2]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+ (Flexible Authentication Secure Tunneling) provides a generic and
+ secure transport for pre-authentication elements prior to the
+ exchange of any pre-authentication data. The inner pre-
+ authentication mechanism is called a FAST factor. FAST factors can
+ generally not be used outside FAST as they assume the underlying
+ security layer provided by FAST.
+
+ This document defines a new pre-authentication method that relies on
+ GSS-API security services to pre-authenticate Kerberos clients. This
+ method allows the KDC to authenticate clients using any current or
+ future GSS-API mechanism, as long as they satisfy the minimum
+ security requirements described in this specification. The Kerberos
+ client assumes the role of the GSS-API initiator, and the
+ Authentication Service (AS) the role of the GSS-API acceptor. It may
+ be used as a FAST factor or without FAST.
+
+ This work was originally motivated by the desire to allow Kerberos to
+ use the protocols defined in [RFC7055] to authenticate federated
+ users with EAP.
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+2. Prerequisites
+
+2.1. Cookie Support
+
+ KDCs which support GSS-API pre-authentication with mechanisms that
+ require more than one round-trip to establish a security context MUST
+ have a secure mechanism for retaining state between AS-REQs. For
+ stateless KDC implementations, this will typically be a digest of the
+ initial KDC-REQ-BODY concatenated with a GSS_Export_sec_context()
+ token, encrypted in a key known only to the KDC and protected from
+ replay attacks (see Section 5.2 of [RFC6113]). The format of the PA-
+ FX-COOKIE is implementation defined.
+
+ Clients that support GSS-API pre-authentication with mechanisms that
+ require more than one round-trip MUST echo the received PA-FX-COOKIE
+ in the next AS-REQ (within a given conversation).
+
+2.2. More Pre-Authentication Data Required
+
+ Both KDCs and clients which implement GSS-API pre-authentication MUST
+ support the use of KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, as decribed in
+ Section 5.2 of [RFC6113].
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 3]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+2.3. Support for Exporting Partially Established Contexts
+
+ KDC implementations that use exported context tokens to maintain
+ state will call GSS_Export_sec_context() and GSS_Import_sec_context()
+ on partially established acceptor contexts. This may require
+ modifications to the mechanism implementation, as [RFC2743] only
+ requires these functions succeed on fully established contexts.
+
+2.4. Processing of Channel Bindings in Single Round-Trip
+
+ The client's KDC request is bound to the GSS-API context
+ establishment through the use of channel bindings. GSS-API
+ mechanisms that require more than one round-trip do not expose at
+ which point in the exchange the channel bindings are validated, and
+ assume they are constant for all context establishment calls. In
+ this specification, the channel bindings contain the encoded client
+ request body, which may vary for each round-trip if a fresh nonce is
+ used on each request.
+
+ To accommodate this, and to avoid re-encoding the request body
+ without the nonce, this specification imposes the additional
+ requirement that the GSS-API mechanism processes channel bindings in
+ a single round-trip within the pre-authentication conversation.
+
+3. Definition of the GSS padata
+
+ The GSS-API defines an exchange of opaque tokens between the
+ initiator (client) and acceptor (service) in order to authenticate
+ each party. GSS-API does not define the transport over which these
+ tokens are carried. This specification defines a Kerberos pre-
+ authentication type, PA-GSS, which carries a GSS-API context token
+ from the Kerberos client to the AS and vice versa.
+
+ PA-GSS 633
+ -- output_token from GSS_Init_sec_context()
+ -- or GSS_Accept_sec_context()
+
+4. GSS-API Pre-authentication Operation
+
+4.1. Kerberos client (GSS-API initiator)
+
+ The Kerberos client begins by calling GSS_Init_sec_context() with the
+ desired credential handle and the target name of the TGS, including
+ the instance and realm. If the underlying mechanism supports
+ Kerberos names, the TGS name MUST be imported as a
+ GSS_KRB5_NT_PRINCIPAL_NAME; otherwise, it SHALL be imported as a
+ GSS_C_NT_HOSTBASED_SERVICE with "krbtgt" as the "service" element and
+ the TGS realm as the "hostname" element (see [RFC2743] Section 4.1).
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 4]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+ In the first call to GSS_Init_sec_context(), input_context_handle is
+ GSS_C_NO_CONTEXT and input_token is empty. In subsequent calls the
+ client uses the context_handle value obtained after the first call,
+ and the input_token received from the KDC. The mutual_req_flag MUST
+ be set.
+
+ In order to bind the GSS-API and Kerberos message exchanges, the DER-
+ encoded KDC-REQ-BODY from the AS-REQ is passed as channel binding
+ application data. As the nonce may differ between requests (see
+ [RFC6113] Section 5.4.3), this requires the GSS-API mechanism to
+ process the channel binding information in a single round-trip. To
+ avoid this potential interoperability issue, clients MAY use a single
+ nonce for all messages in a conversation once GSS-API pre-
+ authentication has commenced.
+
+ If GSS_Init_sec_context() returns GSS_S_CONTINUE_NEEDED, the
+ output_token is sent to the KDC in the PA-GSS pre-authentication data
+ and the client expects either a KRB-ERROR containing another context
+ token, or an AS-REP optionally containing a final context token.
+
+ Once GSS_Init_sec_context() returns GSS_S_COMPLETE, the context is
+ ready for use. The AS-REP is decrypted using the reply key (see
+ Section 6) and the Kerberos client name MAY be replaced by the AS-REP
+ cname (see Section 7). The client MUST fail if the mutual_state flag
+ is not set when fully established, unless the KDC was authenticated
+ by some other means such as a FAST armor.
+
+ The response received from the KDC must agree with the expected
+ status from GSS_Init_sec_context(). It is a state violation to
+ receive an AS-REP from the KDC when the initiator still has
+ additional tokens to send to the KDC (GSS_S_CONTINUE_NEEDED), or
+ conversely to receive KDC_ERR_MORE_PREAUTH_DATA_REQUIRED if the
+ context from the initiator's perspective was already open
+ (GSS_S_COMPLETE).
+
+ When receiving a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error from the
+ KDC, an PA-FX-COOKIE from the KDC MUST be present and copied into the
+ subsequent AS-REQ.
+
+4.2. KDC (GSS-API acceptor)
+
+ When the KDC receives an AS-REQ message containing PA-GSS pre-
+ authentication data, it first looks for an PA-FX-COOKIE and if
+ present retrieves the context handle associated with the cookie,
+ typically by passing the context token from the decrypted cookie to
+ GSS_Import_sec_context(). The absence of an PA-FX-COOKIE indicates a
+ new conversation and the client sending an initial context token.
+
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 5]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+ The KDC SHALL associate the KDC-REQ-BODY of the initial request with
+ the pre-authentication conversation. On subsequent requests, the KDC
+ MUST abort the conversation and return an error if the KDC-REQ-BODY
+ differs from the initial request. The nonce is excluded from this
+ comparison. This extends the protection afforded by the channel
+ binding to all requests in the conversation, not just the request
+ where the mechanism validated the channel bindings. (No specific
+ implementation is required, but one approach would be for the KDC to
+ include a digest of the KDC-REQ-BODY with the nonce set to zero in
+ the PA-FX-COOKIE contents.)
+
+ If no PA-GSS pre-authentication data is present, the KDC cannot
+ continue with GSS-API pre-authentication and will continue with other
+ pre-authentication methods or return an error as determined by local
+ policy. If PA-GSS pre-authentication data is present but empty, the
+ KDC SHALL return a KDC_ERR_PREAUTH_FAILED error. Otherwise,
+ GSS_Accept_sec_context() is called with the acceptor credential
+ handle, the token provided in the PA-GSS pre-authentication data, and
+ channel binding application data containing the DER-encoded KDC-REQ-
+ BODY.
+
+ If GSS_Accept_sec_context() returns GSS_S_CONTINUE_NEEDED, the KDC
+ returns a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error with the output
+ token included as PA-GSS pre-authentication data. The acceptor state
+ is encoded, typically by calling GSS_Export_sec_context(), and the
+ encrypted result is placed in an PA-FX-COOKIE.
+
+ If GSS_Accept_sec_context() returns GSS_S_COMPLETE, the context is
+ ready for use and an AS-REP is returned using the reply key specified
+ in Section 6. Otherwise, an appropriate error such as
+ KDC_ERR_PREAUTH_FAILED is returned to the client and the conversation
+ is aborted. If the mechanism emitted an error token on failure, it
+ SHOULD be returned to the client.
+
+ If the GSS-API mechanism requires an odd number of messages to
+ establish a security context, the KDC MUST include an empty GSS-PA
+ pre-authentication data in the last message of a successful
+ conversation.
+
+5. Indication of Supported Mechanisms
+
+ When the KDC sends a KDC_ERR_PREAUTH_REQUIRED error to the client, it
+ MAY include a pre-authentication data element indicating the set of
+ supported mechanisms. The pre-authentication data comprises of a
+ SPNEGO server initiated initial context token as defined in [MS-SPNG]
+ 3.2.5.2, containing the list of mechanisms supported by the acceptor.
+ Context state is discarded and as such the first PA-GSS from the
+ client is always an InitialContextToken ([RFC2743] Section 3.1).
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 6]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+6. Reply Key Derivation
+
+ The GSS-API pre-authentication mechanism proposed in this draft
+ provides the Replace Reply Key facility [RFC6113].
+
+ After authentication is complete, the client and KDC replace the AS-
+ REP reply key with the output of calling GSS_Pseudo_random()
+ [RFC4401] with the following parameters:
+
+ context The initiator or acceptor context handle
+
+ prf_key GSS_C_PRF_KEY_FULL
+
+ prf_in KRB-GSS || 0x00 || AS-REQ nonce
+
+ desired_output_len The length in bytes of original reply key
+
+ The nonce is the nonce of the final AS-REQ in the conversation, and
+ is encoded as the little-endian binary representation of 4 bytes.
+ The new reply key has the same key type as the original key. If FAST
+ is used, the new reply key SHOULD be strengthened by including a
+ strengthen key in the KrbFastResponse.
+
+7. Naming
+
+ This specification permits Kerberos clients to authenticate without
+ knowing how the KDC will map their GSS-API initiator name to a
+ Kerberos principal. In such cases the client SHALL set the value of
+ the cname field in the AS-REQ to the well-known [RFC6111] value
+ WELLKNOWN/FEDERATED, replacing it after a successful conversation
+ with the client name returned in the AS-REP.
+
+ When the initiator knows the Kerberos client name it wishes to
+ authenticate as, and the mechanism supports Kerberos names, the name
+ MUST be imported using the GSS_KRB5_NT_PRINCIPAL_NAME name type.
+ Otherwise, GSS_C_NT_USER_NAME SHOULD be used when importing NT-
+ PRINCIPAL names in the local realm, or NT-ENTERPRISE [RFC6806] names.
+ GSS_C_NT_HOSTBASED_SERVICE SHOULD be used when importing NT-SRV-HOST
+ or NT-SRV-INST names with a single instance.
+
+ This specification does not mandate a specific mapping of GSS-API
+ initiator names to Kerberos principal names. KDCs MAY use the NT-
+ ENTERPRISE principal name type to avoid conflating any domain- or
+ realm-like components of initiator names with Kerberos realms.
+
+ The KDC MAY include an AD-GSS-COMPOSITE-NAME authorization data
+ element, containing name attribute information. Its value is the
+ exp_composite_name octet string resulting from a successful call to
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 7]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+ GSS_Export_name_composite() [RFC6680]. It SHOULD be enclosed in a
+ AD-IF-RELEVANT container. The format of composite name tokens is
+ implementation dependent; services that cannot parse the name token
+ MUST fail if the authorization data element was not enclosed in AD-
+ IF-RELEVANT.
+
+8. Anonymous Authentication
+
+ If the client wishes to authenticate anonymously using GSS-API pre-
+ authentication, it MUST specify both the request-anonymous flag in
+ the AS-REQ and anon_req_flag in the call to GSS_Init_sec_context().
+ If GSS_Accept_sec_context() set anon_state and returned an initiator
+ name of type GSS_C_NT_ANONYMOUS, the KDC MUST map the user to the
+ well-known anonymous PKINIT principal and realm defined in [RFC8062].
+
+ If GSS_Accept_sec_context() set anon_state but did not return an
+ initiator name of type GSS_C_NT_ANONYMOUS, then the KDC MUST return
+ the well-known anonymous principal but it MAY include the realm of
+ the initiator.
+
+9. Security Considerations
+
+ The client SHOULD use FAST armor to protect the pre-authentication
+ conversation.
+
+ The KDC MUST maintain confidentiality and integrity of the PA-FX-
+ COOKIE contents, typically by encrypting it using a key known only to
+ itself. Cookie values SHOULD be protected from replay attacks by
+ limiting their validity period and binding their contents to the
+ client name in the AS-REQ.
+
+ The establishment of a GSS-API security context is bound to the
+ client's AS-REQ through the inclusion of the encoded KDC-REQ-BODY as
+ channel bindings (see Section 4.1), and the nonce as input to the key
+ derivation function (see Section 6). By asserting the KDC-REQ-BODY
+ does not change during the conversation (nonce notwithstanding), the
+ channel bindings protect all request bodies in the conversation.
+
+ The KDC MAY wish to restrict the set of GSS-API mechanisms it will
+ accept requests from. When using SPNEGO [RFC4178] with GSS-API pre-
+ authentication, the client should take care not to select a mechanism
+ with weaker security properties than a different non-GSS-API pre-
+ authentication type that could have been used.
+
+ If mutual_state is false after GSS_Init_sec_context() completes, the
+ client MUST ensure that the KDC was authenticated by some other
+ means.
+
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 8]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+10. IANA Considerations
+
+ Assign PA-GSS value in Pre-authentication and Typed Data, Kerberos
+ Parameters registry (preference for 633).
+
+ The ad-type number 633 (TBD) is assigned for AD-GSS-COMPOSITE-NAME,
+ updating the table in Section 7.5.4 of [RFC4120].
+
+11. Normative References
+
+ [MS-SPNG] "Simple and Protected GSS-API Negotiation Mechanism
+ (SPNEGO) Extension", <https://docs.microsoft.com/en-
+ us/openspecs/windows_protocols/ms-spng/f377a379-c24f-4a0f-
+ a3eb-0d835389e28a>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743,
+ DOI 10.17487/RFC2743, January 2000,
+ <https://www.rfc-editor.org/info/rfc2743>.
+
+ [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
+ Kerberos Network Authentication Service (V5)", RFC 4120,
+ DOI 10.17487/RFC4120, July 2005,
+ <https://www.rfc-editor.org/info/rfc4120>.
+
+ [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
+ Simple and Protected Generic Security Service Application
+ Program Interface (GSS-API) Negotiation Mechanism",
+ RFC 4178, DOI 10.17487/RFC4178, October 2005,
+ <https://www.rfc-editor.org/info/rfc4178>.
+
+ [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
+ Extension for the Generic Security Service Application
+ Program Interface (GSS-API)", RFC 4401,
+ DOI 10.17487/RFC4401, February 2006,
+ <https://www.rfc-editor.org/info/rfc4401>.
+
+ [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial
+ Authentication in Kerberos (PKINIT)", RFC 4556,
+ DOI 10.17487/RFC4556, June 2006,
+ <https://www.rfc-editor.org/info/rfc4556>.
+
+
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 9]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+ [RFC6111] Zhu, L., "Additional Kerberos Naming Constraints",
+ RFC 6111, DOI 10.17487/RFC6111, April 2011,
+ <https://www.rfc-editor.org/info/rfc6111>.
+
+ [RFC6113] Hartman, S. and L. Zhu, "A Generalized Framework for
+ Kerberos Pre-Authentication", RFC 6113,
+ DOI 10.17487/RFC6113, April 2011,
+ <https://www.rfc-editor.org/info/rfc6113>.
+
+ [RFC6680] Williams, N., Johansson, L., Hartman, S., and S.
+ Josefsson, "Generic Security Service Application
+ Programming Interface (GSS-API) Naming Extensions",
+ RFC 6680, DOI 10.17487/RFC6680, August 2012,
+ <https://www.rfc-editor.org/info/rfc6680>.
+
+ [RFC6806] Hartman, S., Ed., Raeburn, K., and L. Zhu, "Kerberos
+ Principal Name Canonicalization and Cross-Realm
+ Referrals", RFC 6806, DOI 10.17487/RFC6806, November 2012,
+ <https://www.rfc-editor.org/info/rfc6806>.
+
+ [RFC7055] Hartman, S., Ed. and J. Howlett, "A GSS-API Mechanism for
+ the Extensible Authentication Protocol", RFC 7055,
+ DOI 10.17487/RFC7055, December 2013,
+ <https://www.rfc-editor.org/info/rfc7055>.
+
+ [RFC8062] Zhu, L., Leach, P., Hartman, S., and S. Emery, Ed.,
+ "Anonymity Support for Kerberos", RFC 8062,
+ DOI 10.17487/RFC8062, February 2017,
+ <https://www.rfc-editor.org/info/rfc8062>.
+
+Authors' Addresses
+
+ Alejandro Perez-Mendez
+ Jisc
+ 4 Portwall Lane
+ Bristol
+ BS1 6NB
+ United Kingdom
+
+ Email: alex.perez-mendez@jisc.ac.uk
+
+
+ Rafa Marin-Lopez
+ University of Murcia
+ Campus de Espinardo S/N, Faculty of Computer Science
+ 30100 Murcia Murcia
+ Spain
+
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 10]
+
+Internet-Draft GSS-API pre-auth September 2021
+
+
+ Phone: +34 868 88 85 01
+ Email: rafa@um.es
+
+
+ Fernando Pereniguez-Garcia
+ University Defense Center
+ Spanish Air Force Academy
+ 30720 San Javier Murcia
+ Spain
+
+ Phone: +34 968 18 99 46
+ Email: fernando.pereniguez@cud.upct.es
+
+
+ Gabriel Lopez-Millan
+ University of Murcia
+ Campus de Espinardo S/N, Faculty of Computer Science
+ 30100 Murcia Murcia
+ Spain
+
+ Phone: +34 868 88 85 04
+ Email: gabilm@um.es
+
+
+ Luke Howard-Bentata
+ PADL Software Pty Ltd
+ PO Box 59
+ Central Park Victoria 3145
+ Australia
+
+ Email: lukeh@padl.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Perez-Mendez, et al. Expires 27 March 2022 [Page 11]
View Lorry Controller Status