[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS gss/doc/specification
|
From: |
gss-commit |
|
Subject: |
CVS gss/doc/specification |
|
Date: |
Mon, 16 May 2005 22:51:53 +0200 |
Update of /home/cvs/gss/doc/specification
In directory dopio:/tmp/cvs-serv6731
Added Files:
draft-ietf-kitten-gssapi-naming-exts-00.txt
draft-ietf-kitten-gssapi-prf-03.txt
Log Message:
Add.
--- /home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-naming-exts-00.txt
2005/05/16 20:51:53 NONE
+++ /home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-naming-exts-00.txt
2005/05/16 20:51:53 1.1
Internet-Draft Sun
Expires: November 14, 2005 May 13, 2005
GSS-API Naming Extensions
draft-ietf-kitten-gssapi-naming-exts-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 14, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
The Generic Security Services API (GSS-API) provides a simple naming
architecture that supports name-based authorization. This document
introduces new APIs that extend the GSS-API naming and authorization
model.
Williams Expires November 14, 2005 [Page 1]
�
Internet-Draft GSS-API Naming Extensions May 2005
Table of Contents
1. Conventions used in this document . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Name Attribute Sources and Criticality . . . . . . . . . . . 3
4. Name Attributes/Values as ACL Subjects . . . . . . . . . . . 4
5. Mapping Mechanism Facilities to Name Attributes . . . . . . 4
5.1 Kerberos V and SPKM Authorization-Data . . . . . . . . . . . 4
5.2 Kerberos V Cross-Realm Transit Paths . . . . . . . . . . . . 5
5.3 PKIX Certificate Extensions . . . . . . . . . . . . . . . . 5
5.3.1 PKIX EKUs . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.3.2 PKIX Certificate Alternative Names . . . . . . . . . . . . . 6
5.3.3 Other PKIX Certificate Extensions and Attributes . . . . . . 6
5.4 PKIX Certificate CA Paths and Trust Anchors . . . . . . . . 6
6. GSS_Inquire_name_attribute() . . . . . . . . . . . . . . . . 6
6.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 7
7. GSS_Display_name_ext() . . . . . . . . . . . . . . . . . . . 7
7.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 8
8. GSS_Inquire_name() . . . . . . . . . . . . . . . . . . . . . 8
8.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 10
9. GSS_Get_name_attribute() . . . . . . . . . . . . . . . . . . 10
9.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 11
10. GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . . 12
10.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 12
11. GSS_Delete_name_attribute() . . . . . . . . . . . . . . . . 13
11.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 13
11.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 13
12. GSS_Export_name_composite() . . . . . . . . . . . . . . . . 14
12.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 14
12.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 14
13. GSS_Map_name_to_any() . . . . . . . . . . . . . . . . . . . 15
13.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 15
13.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 16
14. GSS_Release_any_name_mapping() . . . . . . . . . . . . . . . 16
14.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 16
14.2 Java Bindings . . . . . . . . . . . . . . . . . . . . . . . 17
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . 17
16. Security Considerations . . . . . . . . . . . . . . . . . . 17
17. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
17.1 Normative References . . . . . . . . . . . . . . . . . . . . 18
17.2 Informative References . . . . . . . . . . . . . . . . . . . 18
Author's Address . . . . . . . . . . . . . . . . . . . . . . 18
Intellectual Property and Copyright Statements . . . . . . . 20
Williams Expires November 14, 2005 [Page 2]
�
Internet-Draft GSS-API Naming Extensions May 2005
1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Introduction
As described in [I-D.GSS-NAMING] the GSS-API's naming architecture
suffers from certain limitations. This document proposes concrete
GSS-API extensions as outlined in [I-D.GSS-NAMING].
A number of extensions to the GSS-API are described herein with the
goal of making authorization information, and other information that
can be modelled as "name attributes" available as such to
applications. For example, Kerberos V authorization data elements,
both, in their raw forms as well as mapped to more useful value
types, can be made available to GSS-API applications through these
interfaces.
The model is that GSS names have attributes. The attributes of a
name may be authenticated by the credential whence the name comes, or
may have been set locally on a GSS name for the purpose of
"asserting" the attribute during credential acquisition or security
context exchange. Name attributes' values are network
representations thereof (e.g., the actual value octets of the
contents of an X.509 certificate extension, for example) and are
intended to be useful for constructing portable access control
facilities. Applications may often require language- or platform-
specific data types, rather than network representations of name
attributes, so a function is provided to obtain objects of such types
associated with names and name attributes.
3. Name Attribute Sources and Criticality
A given GSS name object's name attributes may be authenticated or
asserted by an associated credential, or it may be mapped or derived
from another attribute of the same name.
That a given name's given attribute is 'mapped' means that it was
obtained through some mapping mechanism applied to another attribute
of the name that was not, itself, mapped. For example, such
attributes as platform-specific internal identifiers may sometimes be
mapped from other name attributes.
Name attributes may be "critical," meaning that applications that do
not understand them MUST reject security contexts where the peer has
such unknown, critical attributes.
Williams Expires November 14, 2005 [Page 3]
�
Internet-Draft GSS-API Naming Extensions May 2005
4. Name Attributes/Values as ACL Subjects
Some name attributes (e.g., numeric user or group identifiers) may be
useful as subjects of access control list (ACL) entries, some may not
(e.g., time of day login restrictions). The
GSS_Inquire_name_attribute() function indicates this.
To facilitate the development of portable applications that make use
of name attributes to construct and evaluate portable ACLs the GSS-
API makes name attribute values available in canonical network
encodings thereof.
To facilitate the development of platform- or language-specific
applications that need access to native types of representations of
name attributes an optional facility is provided,
GSS_Map_name_to_any().
5. Mapping Mechanism Facilities to Name Attributes
[NOTE: This entire section should probably be split into one or more
separate Internet-Drafts. It is here in the -00 of this I-D to help
readers understand how to mechanism-specific name attributes would be
accessed through these GSS-API extensions.]
Kerberos V [I-D.ietf-krb-wg-kerberos-clarifications] and the Simple
Public-Key GSS-API Mechanism, SPKM [RFC2025], both support the
concept and encoding of containers of "authorization-data" as
described in [I-D.ietf-krb-wg-kerberos-clarifications].
PKIX [RFC3280] supports a number of authorization-data-like features,
like Extended Key Usage values (EKUs) and certificate extensions.
The authorization data can be accessed through the GSS-API name
attributes facility defined herein.
5.1 Kerberos V and SPKM Authorization-Data
Authorization-data non-container elements asserted in Kerberos V AP-
REQ Authenticators MUST be mapped into *asserted* GSS-API name
attributes; if not contained in AD-IF-RELEVANT then they MUST be
mapped into *critical* GSS-API name attributes. AD-AND-OR
authorization-data elements MUST be mapped into a single *critical*
attribute, (TBD).
Authorization-data included in Kerberos V Tickets that is not
contained in AD-KDCIssued (with valid signature) MUST be mapped into
*asserted* GSS-API name attributes. Conversely, authorization-data
elements in Kerberos V Tickets contained by AD-KDCIssued MUST be
Williams Expires November 14, 2005 [Page 4]
�
Internet-Draft GSS-API Naming Extensions May 2005
mapped into *authenticated* GSS-API name attributes
As with authorization-data elements in Authenticators, authorization-
data elements in Tickets not contained in AD-IF-RELEVANT are to be
mapped to *critical* name attributes, and similarly with AD-AND-OR
(see above).
The OIDs for authorization-data elements are to be the authorization-
data element's 'ad-type' integer ID, relative to the base OID <TBD>
[NOTE: what about negative ad-type's? OID arcs are positive
integers... ad-type is an Int32, so clearly something can be done.]
5.2 Kerberos V Cross-Realm Transit Paths
[Add text on how to represent/encode/interpret krb5 realm transit
paths as name attribute values. And text on PKINIT too... Basically
Ticket's 'transited' field should be exposed as an authenticated name
attribute, with some uncompressed encoding, possibly encompassing
certificate validation paths of client certs used for PKINIT, with
criticality determined by the presence of the transit-policy-checked
flag.]
5.3 PKIX Certificate Extensions
[NOTE: In the Kerberos V authorization-data case we can tell when AD
elements are "authenticated" and when the are asserted, but what
about x.509 certificate extensions? Clearly KU, EKUs and
subjectAltNames are authenticated in that no CA should sign a cert
with, say, arbitrary subjectAltNames not understood by the CA, but,
does that also apply to all other x.509 certificate extensions? The
answer may depend on actual CA operator practices... At worst a new
extension may be needed, like Kerberos V's AD-KDCIssued AD container
element; at best this text can just say "all cert extensions MUST be
mapped to authenticated..." below.]
PKI certificate extensions MAY/SHOULD/MUST (see comment above) be
mapped to *authenticated* GSS-API name attributes with the _same_
OIDs, and if they be marked critical in the certificate then they
MUST be mapped as *critical* GSS-API name attributes.
SubjectAltNames and EKUs, specifically, MUST be mapped to
*authenticated* GSS-API name attributes; see below. Certificate
extensions MUST be mapped to GSS-API name attributes whose OIDs are
the same as the extensions'
5.3.1 PKIX EKUs
Extended Key Usage extensions, specifically, MUST be mapped as
described above, except that GSS-API name attributes for EKUs MUST
Williams Expires November 14, 2005 [Page 5]
�
Internet-Draft GSS-API Naming Extensions May 2005
have NULL values (i.e., zero-length OCTET STRINGs).
PKI certificate key usages (KUs, but not EKUs), MUST NOT be mapped to
GSS-API name attributes.
5.3.2 PKIX Certificate Alternative Names
PKI certificate subjectAltNames MUST be mapped as *authenticated*,
*non-critical* GSS-API name attributes.
PKI certificate extensions MUST be mapped to *authenticated* GSS-API
name attributes with the _same_ OIDs, and if they be marked critical
in the certificate then they MUST be mapped as *critical* GSS-API
name attributes.
Extended Key Usage extensions, specifically, MUST be mapped as
described above, except that GSS-API name attributes for EKUs MUST
have NULL values (i.e., zero-length OCTET STRINGs).
5.3.3 Other PKIX Certificate Extensions and Attributes
[Add text...]
5.4 PKIX Certificate CA Paths and Trust Anchors
[Add text on how to represent/encode/interpret PKI certificate
validation CA paths as name attribute values, much as with Kerberos V
transited paths.]
6. GSS_Inquire_name_attribute()
Inputs:
o attr OBJECT IDENTIFIER
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o attr_name OCTET STRING,
o attr_description OCTET STRING,
o attr_is_a_name BOOLEAN,
Williams Expires November 14, 2005 [Page 6]
�
Internet-Draft GSS-API Naming Extensions May 2005
o attr_is_trust_indicator BOOLEAN
Return major_status codes:
o GSS_S_COMPLETE indicates no error.
o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
known (even if present as a name's attribute).
o GSS_S_FAILURE indicates a general error.
This function outputs a name for the given name attribute,
description for display to users, indicates whether the given name
attribute's values are useful as the subject of an access control
list entry and/or whether the given name attribute's values are
useful as indicators of trust (for example, whether they name PKIX
trust anchors).
6.1 C-Bindings
OM_uint32 gss_inquire_name_attribute(
OM_uint32 *minor_status,
gss_OID attr,
gss_buffer_t attr_name,
gss_buffer_t attr_description,
int *attr_is_a_name,
int *attr_is_trust_indicator
);
6.2 Java Bindings
public String nameAttributeName(Oid attr)
throws GSSException
public String nameAttributeDescription(Oid attr)
throws GSSException
public boolean nameAttributeIsName(Oid attr)
throws GSSException
public boolean nameAttributeIsTrustIndicator(Oid attr)
throws GSSException
7. GSS_Display_name_ext()
Inputs:
o name NAME,
Williams Expires November 14, 2005 [Page 7]
�
Internet-Draft GSS-API Naming Extensions May 2005
o display_as_name_type OBJECT IDENTIFIER
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
[717 lines skipped]
--- /home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-prf-03.txt
2005/05/16 20:51:53 NONE
+++ /home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-prf-03.txt
2005/05/16 20:51:53 1.1
[1163 lines skipped]