1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
|
Network Working Group Ken'ichi Kamada
INTERNET-DRAFT Shoichi Sakane
Expires: January 10, 2008 Yokogawa Electric Corporation
July 9, 2007
Client-Friendly Cross-Realm Model for Kerberos 5
draft-kamada-krb-client-friendly-cross-02.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft expires on January 10, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Kamada and Sakane [Page 1]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
Abstract
This document proposes a cross-realm traversal model, which is
suitable for resource-limited clients, for Kerberos Version 5. This
model provides a way to move the cost of consecutive Ticket-Granting
Service (TGS) exchanges from clients to Key Distribution Centers
(KDCs) and a way to reduce the traversal cost by generating a direct
inter-realm relationship between two realms. The document describes
behavior of clients and KDCs, but does not specify any wire format,
which need to be specified separately.
Table of Contents
1. Introduction ................................................. 3
2. Problems on Client Performance ............................... 3
2.1. Long Authentication Path ................................ 4
2.2. Client-Centric Ticketing ................................ 4
3. Proposal of Client-Friendly Cross-Realm Model ................ 4
3.1. Temporary Inter-Realm Relationship Generation Mode ...... 5
3.2. Attorney Ticketing Mode ................................. 6
3.3. Combination of the Two Modes ............................ 7
4. Advantage of The Proposed Model for Deployment ............... 8
4.1. Compatibility with Traditional Kerberos Deployment ...... 8
4.2. Orthogonality of the Two Modes .......................... 8
5. Front-End Protocol for Attorney Ticketing Mode ............... 9
6. Related Protocols Currently Proposed ......................... 10
6.1. PKCROSS ................................................. 10
6.2. XTGS .................................................... 10
7. Interoperability Considerations .............................. 10
8. Security Considerations ...................................... 11
8.1. Denial of Service (DoS) ................................. 11
8.2. Ticketing Policy ........................................ 11
9. IANA Considerations .......................................... 12
10. Acknowledgments .............................................. 12
11. References ................................................... 12
11.1. Normative References ................................... 12
11.2. Informative References ................................. 12
Authors' Addresses ............................................... 13
Full Copyright Statement ......................................... 13
Intellectual Property Statement .................................. 13
Kamada and Sakane [Page 2]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
1. Introduction
Kerberos Version 5 [RFC4120] has a concept of cross-realm
authentication so that principals in different realms can
authenticate each other. However in the current cross-realm model,
each client has to traverse the authentication path, and the burden
of the traversal is not negligible for clients with limited
resources, e.g., computational speed or power supply [CRPS].
In the current cross-realm operation, a client obtains a service
ticket for a remote principal in the following steps:
1) N TGSes to get cross-realm TGTs in order to traverse the
intermediate realms, where N is the number of transit, and
2) One TGS to get the final service ticket.
That is, the client needs to perform N + 1 transactions to obtain a
ticket for the remote service.
This document proposes a new cross-realm model, which consists of
"temporary inter-realm relationship generation mode" and "attorney
ticketing mode". The former is intended to reduce transit cost
itself, and the latter is to move the cost from clients to KDCs. The
document describes behavior of clients and KDCs, but does not specify
any wire format, which need to be specified separately.
Terms defined in section 1.7 of RFC 4120 are used throughout this
document.
2. Problems on Client Performance
In the current model of cross-realm operation, a client has to
transit all realms on the path to the destination realm. When the
source realm and the destination realm have a direct inter-realm
relationship, a client is able to obtain a service ticket with two
TGS transactions (one for a cross-realm TGT and another for the
service ticket). When the realms have a multi-hop relationship, a
client must transit the intermediate realms before it obtains the
service ticket. That is, the client's task increases in proportion
to the distance of the relationship.
Two issues can be observed here behind the client load, which are
described in the following subsections.
Kamada and Sakane [Page 3]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
2.1. Long Authentication Path
When a client wants to get a service ticket for a remote realm, it
must transit to the remote realm by traversing the intermediate
realms on the authentication path to the remote realm. The result of
traversal is cached as a cross-realm TGT, but it is nothing more than
a per-client optimization. Thus all clients accessing a remote realm
must pay the cost separately, even if their resources are limited.
For a long authentication path, the cost of the whole system becomes
large.
2.2. Client-Centric Ticketing
In Kerberos, any service tickets or cross-realm TGTs are issued via
TGS, where a client present a ticket for the TGS and obtains a next
ticket. Currently, all TGS transactions are initiated by the client
and it needs to get all necessary cross-realm TGTs iteratively before
the final service ticket. This process is a burden to a resource-
limited client.
3. Proposal of Client-Friendly Cross-Realm Model
In this section, two modes of operation are introduced, "Temporary
Inter-Realm Relationship Generation Mode" and "Attorney Ticketing
Mode", to solve the issues described in the previous section. These
two modes are designed to be independent, that is, can be used
separately or in combination.
Temporary Inter-Realm Relationship Generation Mode solves the issue
of the long authentication path. In this mode, if the source realm
and the destination realm do not have a direct inter-realm
relationship, the source KDC traverses the authentication path by
itself, contacts with the remote KDC, and generates a direct inter-
realm relationship between them. After that, the source KDC can
issue direct inter-realm TGTs for the destination realm. The purpose
of this mode is to reduce the traversal cost itself by caching the
result of traversal.
Attorney Ticketing Mode solves the issue of the client-centric
ticketing. Consecutive TGS transactions to get cross-realm TGTs
and/or a final service ticket are initiated by a client in the
traditional Kerberos, whereas a KDC undertake that process in this
mode. The purpose of this mode is to shift the cost of TGSes from a
client to a KDC. This does not reduce the cost itself.
Kamada and Sakane [Page 4]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
3.1. Temporary Inter-Realm Relationship Generation Mode
Temporary inter-realm relationship generation mode enables a KDC to
issue an inter-realm TGT directly to a remote KDC with which the KDC
doesn't preshare an inter-realm key. To issue an inter-realm TGT
directly, a temporary inter-realm key needs to be provided somehow.
To achieve that, the local KDC obtains a special ticket for the
remote KDC and uses its session key as an inter-realm key. This
methodology was introduced by PKCROSS [PKCROSS]. In this document,
that special ticket is called as an "inter-KDC ticket", and an inter-
realm TGT generated from an inter-KDC ticket is called as a "direct
inter-realm TGT".
How does the local KDC reach the remote KDC is out of scope of this
model, but we can easily come up with 1) traversing a long
authentication path if available or 2) using PKINIT. In the context
of this model, PKCROSS is interpreted as a combination of this mode
and PKINIT.
This document does not standardize a specific protocol, but an inter-
KDC ticket will have the following form:
- its sname has a special form (PKCROSS proposes
"pkcross/realm@REALM", but it would be better to use a more
general name than "pkcross"),
and a direct inter-realm TGT will have the following form:
- its TicketExtensions field [KRBEXT] contains the inter-KDC ticket,
and
- it is protected by the session key (or the sub-session key) of the
inter-KDC ticket.
Kamada and Sakane [Page 5]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
client C KDC-L KDC-I KDC-R
-------- ----- ----- -----
1. --------TGS-REQ-------->
2. [Reach to KDC-R in any way.]
[Below is an example of PKCROSS.]
------------PKINIT------------>
<----------XTKT(L,R)-----------
3. <--TKT(C,R)w/XTKT(L,R)--
4. ----------------------TGS-REQ------------------------>
5. <---------------------TKT(C,S)------------------------
[Note: TKT(x,y) means a ticket whose cname is x and sname is y. ]
[ XTKT is an inter-KDC ticket. See PKCROSS. ]
[ The client C and KDC-L belong to the local realm L. ]
[ The KDC-I is a KDC of an intermediate realm I. ]
[ The KDC-R is a KDC of the remote realm R. ]
1. The client C sends a normal TGS-REQ to KDC-L, requesting
a cross-realm TGT to KDC-R.
2. KDC-L reaches KDC-R in any way and obtains a XTKT.
There is no standardized way to achieve this step yet.
PKCROSS is one candidate. We could also standardize a way
in which KDC-L normally transits to KDC-R and obtains an XTKT.
3. KDC-L generates a cross-realm TGT that is from C to KDC-R
and returns to it to C.
4. The same with the traditional cross-realm TGS.
5. The same with the traditional cross-realm TGS.
Figure 1: Message Flow of Temporary Inter-Realm Relationship
Generation
3.2. Attorney Ticketing Mode
Traditionally, a Kerberos client repeats TGS transactions until it
gets the final ticket. For example, it has a TGT for its own realm
and wants to get a ticket for a service in 3-hop neighbor realm, then
it will:
1) Present the TGT and get a cross-realm TGT for the next realm,
2) Present the 1st cross-realm TGT and get a cross-realm TGT for the
2nd next realm,
3) Present the 2nd cross-realm TGT and get a cross-realm TGT for the
final realm, and
Kamada and Sakane [Page 6]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
4) Present the final cross-realm TGT and get a service ticket.
Attorney ticketing mode enables the client to delegate the KDC to
perform all transactions listed above on behalf of the client. An
example message flow is shown in Figure 2. The client entrust the
KDC with its TGT (step 1). The KDC "impersonates" the client and
performs all necessary TGS transactions (steps 2 to 4), and returns
the final ticket to the client (step 5).
client C KDC-L KDC-I KDC-R
-------- ----- ----- -----
1. --------TGS-REQ-------->
2. TKT(C,I)
3. ----TGS-REQ---->
<---TKT(C,R)----
4. ------------TGS-REQ----------->
<-----------TKT(C,S)-----------
5. <-------TKT(C,S)--------
1. The client C sends a special TGS-REQ, which indicates attorney
ticketing mode requesting a service ticket for a server S
instead of a cross-realm TGT, to KDC-L.
2. KDC-L internally generates a cross-realm TGT that is from C
to KDC-I, but does not return it to C.
3. KDC-L uses the generated cross-realm TGT by itself, and sends
a TGS-REQ to KDC-I, which requests a cross-realm TGT from C
to KDC-R.
4. KDC-L use the obtained cross-realm TGT by itself, and sends
a TGS-REQ to KDC-R, which requests a service ticket from C
to S.
5. KDC-L returns the final service ticket to C.
Figure 2: Message Flow of Attorney Ticketing Mode
3.3. Combination of the Two Modes
Figure 3 shows a typical message flow when the temporary inter-realm
relationship generation mode and the attorney ticketing mode are used
in combination. The figure shows the case of the initial contact, so
a transaction to obtain an inter-KDC ticket is shown (step 2), but it
is infrequently used because the XTKT is cached. Usually, only two
round-trips do all the work.
Kamada and Sakane [Page 7]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
client C KDC-L KDC-I KDC-R
-------- ----- ----- -----
1. --------TGS-REQ-------->
2. [Temporary inter-realm relationship
generation mode runs here.]
------------PKINIT------------>
<----------XTKT(L,R)-----------
3. [Attorney ticketing mode runs here.]
TKT(C,R)w/XTKT(L,R)
4. ------------TGS-REQ----------->
<-----------TKT(C,S)-----------
5. <-------TKT(C,S)--------
Figure 3: Message Flow When Temporary Inter-Realm Relationship
Generation Mode and Attorney Ticketing Mode
Are Combined
4. Advantage of The Proposed Model for Deployment
4.1. Compatibility with Traditional Kerberos Deployment
Temporary inter-realm relationship generation involves only KDCs.
From the viewpoint of a client (and a server), it seems that there is
a direct inter-realm relationship between two realms. This means
that temporary inter-realm relationship generation mode needs to be
deployed only in KDCs. This property is advantageous, because it
does not affect large installed base of clients. One impeding factor
in practice is that some existing implementations cannot handle
ticket extensions transparently. This is further discussed in
Interoperability Considerations section.
Attorney ticketing mode involves only a client and its local KDC.
From the viewpoint of the remote KDC, TGS-REQs from a KDC as an
attorney cannot be distinguished from those from a "genuine" client
(except caddr; see Interoperability Considerations section).
Resulting service ticket is identical to the traditional one, so the
remote server has nothing to do with this mode. In short, attorney
ticketing mode can be deployed in local realm, independently of the
remote deployment. The merit of this property is large, because
remote realms are often in different administration.
4.2. Orthogonality of the Two Modes
Temporary inter-realm relationship generation mode and attorney
ticketing mode are independent concepts. Both can be implemented
separately or can be used in combination. When they are combined,
Kamada and Sakane [Page 8]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
the load of clients are shifted to KDCs and additional load of KDCs
are minimized, thus efficient cross-realm environment is achieved.
5. Front-End Protocol for Attorney Ticketing Mode
This document does not specify wire-level protocol, which will be
done in another document. This section provides some candidates for
the protocol, which is used to request attorney ticketing mode from a
KDC (Figure 4). This protocol can be used for other than attorney
ticketing mode, as long as the KDC's behavior for clients is
identical to the mode.
+------+ +-------+
|client|------------>| KDC |-------------> cross-realm cloud
+------+ +-------+ Cross-realm
Front-end protocol traversal by KDC
to request a final (Attorney Ticketing Mode)
ticket in one shot
or
-------------> remote KDC (directly)
XTGSP
or
------------->
Whatever the KDC chooses
Figure 4: Front-End Protocol for Attorney Ticketing Mode
Candidate 1: Implicit Signaling
A client simply requests a final ticket to the local KDC. If the
KDC supports this implicit protocol, it will process the request.
If not, KDC_ERR_S_PRINCIPAL_UNKNOWN will be returned. A possible
drawback is that if a requested final ticket is for a TGS, the KDC
does not know whether the client expects normal mode or attorney
mode. In addition, implicit signaling can conflict with future
extensions.
Candidate 2: Explicit Signaling
A flag in KDCOptions or pre-authentication can be used to request
attorney mode.
[[what happens if not supported?]]
Kamada and Sakane [Page 9]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
6. Related Protocols Currently Proposed
6.1. PKCROSS
PKCROSS will be usable as a protocol for temporary inter-realm
relationship generation mode.
6.2. XTGS
The purpose of XTGS protocol is similar to that of this model, but
the behavior is somewhat different [XTGS]. If XTGS is viewed from
the perspective of this model, it blends the two modes indivisibly to
reduce the number of messages between KDCs as far as possible at the
price of the abstraction of cross-realm TGTs and inter-KDC tickets.
Once a front-end (i.e., between a client and a KDC) protocol to
request attorney ticketing mode is standardized, XTGS can be used as
an opaque back-end.
7. Interoperability Considerations
User-to-user mode
The protocol for the attorney mode should be able to indicate
user-to-user authentication.
The addresses field in TGS-REQ
This field is copied into the caddr field in EncTicketPart, so if
this field is used in a TGS-REQ, the resulting ticket can be used
only from the specified addresses. When the local KDC receives a
TGS-REQ requesting attorney mode, it should copy the addresses
field only into the final TGS-REQ in the attorney process. It
must not copy the field into TGS-REQs to intermediate KDCs,
because resulting tickets are to be used by the local KDC instead
of the client.
Opacity of ticket extensions
The ticket extensions defined in rfc1510ter [KRBEXT] extends the
Ticket ASN.1 type, which is visible to clients. This is not a
problem if a client implementation treats a Ticket as an opaque
data, and there are such implementations, but unfortunately the
major free implementations do not. On the other hand, there is a
proposal of etype-based ticket extensions [TKTEXTALT]. It
encapsulates cleartext bits in the enc-part component of a Ticket.
It should not have any problems of opacity.
[[negotiation of various parameters]]
Kamada and Sakane [Page 10]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
[[If there are multiple authentication paths and a client has enough
knowledge, it could choose which path to take. With attorney
ticketing mode, it cannot because it is up to the KDC to select the
path. Is this a problem? With temporary inter-realm relationship
generation mode, it can as before.]]
[[co-existence with the plain Kerberos; attorney ticketing mode
client vs. non-attorney KDC; inter-realm generating local KDC vs.
non-generating remote KDC]]
[[anything to do with referral?]]
[[when a KDC in attorney mode receives a KRB-ERROR?]]
8. Security Considerations
8.1. Denial of Service (DoS)
A KDC that implements attorney ticketing mode needs to initiate
multiple TGS-REQ upon a request from a client. This means that the
KDC will have some states in it and may suffer from DoS attacks.
Fortunately, attorney ticketing mode can be requested in TGS-REQ,
which is only available to authenticated clients, thus, any untrusted
party cannot exploit this statefulness.
8.2. Ticketing Policy
Attorney ticketing mode changes nothing about the messages sent to
the intermediate and remote KDCs. Those KDCs will not notice the
difference and their ticketing process have nothing to be changed.
Temporary inter-realm relationship generation mode dynamically
generates new authentication paths. This means that KDCs that are
involved in the transit of a client are different from those that
would be involved if this mode were not used.
- Parameters of cross-realm TGTs (lifetime and flags) for a new
relationship need to be dynamically transferred (a la PKCROSS).
- How to handle the transited fields in inter-KDC tickets, direct
inter-realm tickets, and service tickets?
- Where the remote KDC adds AuthorizationData and the end-server
checks it: there is no problem because it is a local matter of the
remote realm.
Kamada and Sakane [Page 11]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
- Where an intermediate KDC adds AuthorizationData: traditionally it
is added in a cross-realm TGT and propagated to the service
ticket; now it will be propagated to the inter-KDC ticket. Should
AuthorizationData in an inter-KDC ticket be copied into a cross-
realm TGT or not? Even if it is copied, AuthorizationData on
inter-KDC ticket cannot represent per-client information, so if it
is necessary, temporary inter-realm relationship generation mode
must not be used.
9. IANA Considerations
This document has no actions for IANA.
10. Acknowledgments
The authors would like to acknowledge Saber Zrelli, Masahiro
Ishiyama, Atsushi Inoue, Kazunori Miyazawa, and Nobuo Okabe for
contributions to this document.
11. References
11.1. Normative References
[KRBEXT] Yu, T., "The Kerberos Network Authentication Service
(Version 5)", draft-ietf-krb-wg-rfc1510ter-04, Work in
Progress, March 2007.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC
4120, July 2005.
11.2. Informative References
[CRPS] Sakane, S., Zrelli, S., M. Ishiyama, "Problem statement
on the cross-realm operation of Kerberos in a specific
system", draft-sakane-krb-cross-problem-statement-02,
Work in Progress, April 2007.
[PKCROSS] Hur, M. et al., "Public Key Cryptography for Cross-
Realm Authentication in Kerberos", draft-ietf-cat-
kerberos-pk-cross-08 (expired), Work in Progress,
November 2001.
[TKTEXTALT] Message-ID: <tslfy54akcb.fsf@mit.edu>.
Kamada and Sakane [Page 12]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
[XTGS] Zrelli, S. et al., "XTGSP, the Inter-TGS protocol for
cross-realm operations in Kerberos", draft-zrelli-krb-
xtgsp-01, Work in Progress, March 2007.
Authors' Addresses
Ken'ichi Kamada
Shoichi Sakane
Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi,
Tokyo 180-8750 Japan
E-mail: Ken-ichi.Kamada@jp.yokogawa.com,
Shouichi.Sakane@jp.yokogawa.com
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
Kamada and Sakane [Page 13]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Kamada and Sakane [Page 14]
�
|
