draft-ietf-sasl-gs2-10.txt   draft-ietf-sasl-gs2-11.txt 
Network Working Group S. Josefsson Network Working Group S. Josefsson
Internet-Draft SJD AB
Intended status: Standards Track Intended status: Standards Track N. Williams
Expires: January 14, 2009 Expires: September 24, 2009 Sun Microsystems
March 23, 2009
Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family
draft-ietf-sasl-gs2-10 draft-ietf-sasl-gs2-11
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79. This document may contain material
have been or will be disclosed, and any of which he or she becomes from IETF Documents or IETF Contributions published or made publicly
aware will be disclosed, in accordance with Section 6 of BCP 79. available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 14, 2009. This Internet-Draft will expire on September 24, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This document describes how to use a Generic Security Service This document describes how to use a Generic Security Service
Application Program Interface (GSS-API) mechanism in the the Simple Application Program Interface (GSS-API) mechanism in the the Simple
Authentication and Security Layer (SASL) framework. This is done by Authentication and Security Layer (SASL) framework. This is done by
defining a new SASL mechanism family, called GS2. This mechanism defining a new SASL mechanism family, called GS2. This mechanism
family offers a number of improvements over the previous SASL/GSS-API family offers a number of improvements over the previous "SASL/
mechanism: it is more general, uses fewer messages for the GSSAPI" mechanism: it is more general, uses fewer messages for the
authentication phase in some cases, and supports a SASL-specific authentication phase in some cases, and supports negotiable use of
notion of channel binding. channel binding. Only GSS-API mechanisms that support channel
binding are supported.
See <http://josefsson.org/sasl-gs2-*/> for more information. See <http://josefsson.org/sasl-gs2-*/> for more information.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions used in this document . . . . . . . . . . . . . . 5 2. Conventions used in this document . . . . . . . . . . . . . . 5
3. Mechanism name . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Mechanism name . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Generating SASL mechanism names from GSS-API OIDs . . . . 6 3.1. Generating SASL mechanism names from GSS-API OIDs . . . . 5
3.2. Computing mechanism names manually . . . . . . . . . . . . 6 3.2. Computing mechanism names manually . . . . . . . . . . . . 5
3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. SASL Authentication Exchange Message Format . . . . . . . . . 8 4. SASL Authentication Exchange Message Format . . . . . . . . . 7
4.1. SASL Messages . . . . . . . . . . . . . . . . . . . . . . 8 4.1. SASL Messages . . . . . . . . . . . . . . . . . . . . . . 7
4.2. Context Token Field . . . . . . . . . . . . . . . . . . . 9 5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 9
4.2.1. Client side . . . . . . . . . . . . . . . . . . . . . 9 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2.2. Server side . . . . . . . . . . . . . . . . . . . . . 10 7. Authentication Conditions . . . . . . . . . . . . . . . . . . 11
4.3. Wrap Token Field . . . . . . . . . . . . . . . . . . . . . 11 8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 11
4.3.1. The GS2_Wrap function . . . . . . . . . . . . . . . . 12 9. Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.3.2. Client first GS2_Wrap input . . . . . . . . . . . . . 12 10. GSS_Mechanism_SASLname call . . . . . . . . . . . . . . . . . 11
4.3.3. Server last GS2_Wrap input . . . . . . . . . . . . . . 13 10.1. gss_mechanism_saslname . . . . . . . . . . . . . . . . . . 13
4.3.4. Server first GS2_Wrap input . . . . . . . . . . . . . 14 11. GSS_Inquire_mech_for_SASLname call . . . . . . . . . . . . . . 13
4.3.5. Client last GS2_Wrap input . . . . . . . . . . . . . . 14 11.1. gss_inquire_mech_for_saslname . . . . . . . . . . . . . . 15
5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 15 12. Security Layers . . . . . . . . . . . . . . . . . . . . . . . 15
6. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 16 13. Interoperability with the SASL "GSSAPI" mechanism . . . . . . 16
7. Authentication Conditions . . . . . . . . . . . . . . . . . . 20 13.1. The interoperability problem . . . . . . . . . . . . . . . 16
8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 21 13.2. Resolving the problem . . . . . . . . . . . . . . . . . . 16
9. Security Layer Bits . . . . . . . . . . . . . . . . . . . . . 22 13.3. Additional Recommendations . . . . . . . . . . . . . . . . 16
9.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 23 14. Mechanisms that negotiate other mechanisms . . . . . . . . . . 17
10. Non-integrity capable GSS-API mechanisms . . . . . . . . . . . 24 14.1. The interoperability problem . . . . . . . . . . . . . . . 17
11. Interoperability with the SASL "GSSAPI" mechanism . . . . . . 25 14.2. Security problem . . . . . . . . . . . . . . . . . . . . . 17
11.1. The interoperability problem . . . . . . . . . . . . . . . 25 14.3. Resolving the problems . . . . . . . . . . . . . . . . . . 17
11.2. Resolving the problem . . . . . . . . . . . . . . . . . . 25 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
11.3. Additional recommendations . . . . . . . . . . . . . . . . 25 16. Security Considerations . . . . . . . . . . . . . . . . . . . 18
12. Mechanisms that negotiate other mechanisms . . . . . . . . . . 26 17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19
12.1. The interoperability problem . . . . . . . . . . . . . . . 26 18. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
12.2. Security problem . . . . . . . . . . . . . . . . . . . . . 26 18.1. Normative References . . . . . . . . . . . . . . . . . . . 19
12.3. Resolving the problems . . . . . . . . . . . . . . . . . . 26 18.2. Informative References . . . . . . . . . . . . . . . . . . 20
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
14. Security Considerations . . . . . . . . . . . . . . . . . . . 28
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
16.1. Normative References . . . . . . . . . . . . . . . . . . . 31
16.2. Informative References . . . . . . . . . . . . . . . . . . 31
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 33
Intellectual Property and Copyright Statements . . . . . . . . . . 34
1. Introduction 1. Introduction
Generic Security Service Application Program Interface (GSS-API) Generic Security Service Application Program Interface (GSS-API)
[RFC2743] is a framework that provide security services to [RFC2743] is a framework that provides security services to
applications. Simple Authentication and Security Layer (SASL) applications using a variety of authentication "mechanisms". Simple
[RFC4422] is a framework to provide authentication and security Authentication and Security Layer (SASL) [RFC4422] is a framework to
layers for connection based protocols. This document describe how to provide authentication and "security layers" for connection based
use a GSS-API mechanism in a connection-based protocol using the SASL protocols, also using a variety of mechanisms. This document
framework. describes how to use a GSS-API mechanism as though it were a SASL
mechanism. This facility is called "GS2" -- a moniker that indicates
All GSSAPI mechanisms are implicitly registered for use within SASL that this is the second GSS-API->SASL mechanism bridge. The original
by this specification. The SASL mechanism defined in this document GSS-API->SASL mechanism bridge was specified by [RFC2222], now
is known as the GS2 family. [RFC4752]; we shall sometimes refer to the original bridge as "GS1"
in this document.
The "Kerberos V5 GSS-API mechanism" [RFC1964] is also supported in
SASL through "SASL GSSAPI mechanisms" [RFC4752]. The difference
between that protocol and the one described here, is that this
protocol offer more features (i.e., channel bindings and round-trip
optimizations) while the other protocol is more widely deployed.
There are interoperability concerns by having the same GSS-API
mechanism available under more than one SASL mechanism name, see the
section "Interoperability with the GSSAPI mechanism" below.
There are interoperability and security concerns if this SASL All GSS-API mechanisms are implicitly registered for use within SASL
mechanism is used together with a GSS-API mechanism that negotiate by this specification. The SASL mechanisms defined in this document
other GSS-API mechanisms (such as SPNEGO [RFC4178]), see the section are known as the "GS2 family of mechanisms".
"Mechanisms that negotiate other mechanisms" below.
There are interoperability and security concerns with GSSAPI The GS1 bridge failed to gain wide deployment for any GSS-API
mechanism that do not provide integrity, see the section "Non- mechanism other than The "Kerberos V GSS-API mechanism" [RFC1964]
integrity capable GSS-API mechanisms" below. [RFC4121], and has a number of problems that lead us to desire a new
bridge. Specifically: a) GS1 was not round-trip optimized, b) GS1
did not support channel binding [RFC5056]. These problems and the
opportunity to create the next SASL password-based mechanism, SCRAM
[I-D.newman-auth-scram], as a GSS-API mechanism used by SASL
applications via GS2, provide the motivation for GS2.
SASL mechanism names starting with "GS2-" are reserved for SASL In particular, the current consensus of the SASL community appears to
mechanisms which conform to this document. be that SASL "security layers" (i.e., confidentiality and integrity
protection of application data after authentication) are too complex
and, since SASL applications tend to have an option to run over a
Transport Layer Security (TLS) [RFC5246] channel, redundant and best
replaced with channel binding.
The IESG is considered to be the owner of all SASL mechanisms which GS2 is designed to be as simple as possible. It adds to GSS-API
conform to this document. This does not necessarily imply that the security context token exchanges only the bare minimum to support
IESG is considered to be the owner of the underlying GSSAPI SASL semantics and negotiation of use of channel binding.
mechanism. Specifically, GS2 adds a small header (2 bytes or 4 bytes plus the
length of the client requested SASL authorization ID (authzid)) to
the initial context token and to the application channel binding
data, and it uses SASL mechanism negotiation to implement channel
binding negotiation. All GS2 plaintext is protected via the use of
GSS-API channel binding. Additionally, to simplify the
implementation of GS2 mechanisms for implementors who will not
implement a GSS-API framework, we compress the initial security
context token header required by [RFC2743] (see section 3.1).
2. Conventions used in this document 2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Mechanism name 3. Mechanism name
3.1. Generating SASL mechanism names from GSS-API OIDs 3.1. Generating SASL mechanism names from GSS-API OIDs
The SASL mechanism name for a GSS-API mechanism is the concatenation There are two SASL mechanism names for any GSS-API mechanism used
of the string "GS2-" and the Base32 encoding [RFC4648] (with an upper through this facility. One denotes that the server supports channel
case alphabet) of the first ten bytes of the binary SHA-1 hash binding. The other denotes that it does not.
[FIPS.180-1.1995] string computed over the ASN.1 DER encoding
[ITU.X690.1994], including the tag and length octets, of the GSS-API The SASL mechanism name for a GSS-API mechanism is that which is
mechanism's Object Identifier. The Base32 rules on padding provided by that mechanism when it was specified, if one was
characters and characters outside of the base32 alphabet are not specified. This name denotes that the server does not support
relevant to this use of Base32. If any padding or non-alphabet channel binding. Add the suffix "-PLUS" and the resulting name
denotes that the server does support channel binding. SASL
implementations can use the GSS_Mechanism_Name call (see below) to
query for the SASL mechanism name of a GSS-API mechanism.
For GSS-API mechanisms whose SASL names are not defined together with
the GSS-API mechanism or in this document, the SASL mechanism name is
concatenation of the string "GS2-" and the Base32 encoding [RFC4648]
(with an upper case alphabet) of the first 55 bits of the binary
SHA-1 hash [FIPS.180-1.1995] string computed over the ASN.1 DER
encoding [CCITT.X690.2002], including the tag and length octets, of
the GSS-API mechanism's Object Identifier. The Base32 rules on
padding characters and characters outside of the base32 alphabet are
not relevant to this use of Base32. If any padding or non-alphabet
characters are encountered, the name is not a GS2 family mechanism characters are encountered, the name is not a GS2 family mechanism
name. name. This name denotes that the server does not support channel
binding. Add the suffix "-PLUS" and the resulting name denotes that
the server does support channel binding.
3.2. Computing mechanism names manually 3.2. Computing mechanism names manually
The SASL mechanism name may be computed manually. This is useful The hash-derived GS2 SASL mechanism name may be computed manually.
when the set of supported GSS-API mechanisms is known in advance. It This is useful when the set of supported GSS-API mechanisms is known
also obliterate the need to implement Base32, SHA-1 and DER in the in advance. It also obliterate the need to implement Base32, SHA-1
SASL mechanism. The computed mechanism name can be used directly in and DER in the SASL mechanism. The computed mechanism name can be
the implementation, and the implementation need not concern itself used directly in the implementation, and the implementation need not
with that the mechanism is part of a mechanism family. concern itself with that the mechanism is part of a mechanism family.
3.3. Examples 3.3. Examples
The OID for the SPKM-1 mechanism [RFC2025] is 1.3.6.1.5.5.1.1. The The OID for the SPKM-1 mechanism [RFC2025] is 1.3.6.1.5.5.1.1. The
ASN.1 DER encoding of the OID, including the tag and length, is (in ASN.1 DER encoding of the OID, including the tag and length, is (in
hex) 06 07 2b 06 01 05 05 01 01. The SHA-1 hash of the ASN.1 DER hex) 06 07 2b 06 01 05 05 01 01. The SHA-1 hash of the ASN.1 DER
encoding is (in hex) 1c f8 f4 2b 5a 9f 80 fa e9 f8 31 22 6d 5d 9d 56 encoding is (in hex) 1c f8 f4 2b 5a 9f 80 fa e9 f8 31 22 6d 5d 9d 56
27 86 61 ad. Convert the first ten octets to binary, and re-group 27 86 61 ad. Convert the first 7 octets to binary, drop the last
them in groups of 5, and convert them back to decimal, which results bit, and re-group them in groups of 5, and convert them back to
in these computations: decimal, which results in these computations:
hex: hex:
1c f8 f4 2b 5a 9f 80 fa e9 f8 1c f8 f4 2b 5a 9f 80
binary: binary:
00011100 11111000 11110100 00101011 01011010 00011100 11111000 11110100 00101011 01011010
10011111 10000000 11111010 11101001 11111000 10011111 1000000
binary in groups of 5: binary in groups of 5:
00011 10011 11100 01111 01000 01010 11010 11010 00011 10011 11100 01111 01000 01010 11010 11010
10011 11110 00000 01111 10101 11010 01111 11000 10011 11110 00000
decimal of each group: decimal of each group:
3 19 28 15 8 10 26 26 19 30 0 15 21 26 15 24 3 19 28 15 8 10 26 26 19 30 0
base32 encoding: base32 encoding:
D T 4 P I K 2 2 T 6 A P V 2 P Y D T 4 P I K 2 2 T 6 A
The last step translate each decimal value using table 3 in Base32 The last step translate each decimal value using table 3 in Base32
[RFC4648]. Thus the SASL mechanism name for the SPKM-1 GSSAPI [RFC4648]. Thus the SASL mechanism name for the SPKM-1 GSSAPI
mechanism is "GS2-DT4PIK22T6APV2PY". mechanism is "GS2-DT4PIK22T6A".
The OID for the Kerberos V5 GSS-API mechanism [RFC1964] is The OID for the Kerberos V5 GSS-API mechanism [RFC1964] is
1.2.840.113554.1.2.2 and its DER encoding is (in hex) 06 09 2A 86 48 1.2.840.113554.1.2.2 and its DER encoding is (in hex) 06 09 2A 86 48
86 F7 12 01 02 02. The SHA-1 hash is 82 d2 73 25 76 6b d6 c8 45 aa 86 F7 12 01 02 02. The SHA-1 hash is 82 d2 73 25 76 6b d6 c8 45 aa
93 25 51 6a fc ff 04 b0 43 60. Convert the first ten octets to 93 25 51 6a fc ff 04 b0 43 60. Convert the first ten octets to
binary, and re-group them in groups of 5, and convert them back to binary, and re-group them in groups of 5, and convert them back to
decimal, which results in these computations: decimal, which results in these computations:
hex: hex:
82 d2 73 25 76 6b d6 c8 45 aa 82 d2 73 25 76 6b d6
binary: binary:
10000010 11010010 01110011 00100101 01110110 10000010 11010010 01110011 00100101 01110110
01101011 11010110 11001000 01000101 10101010 01101011 1101011
binary in groups of 5: binary in groups of 5:
10000 01011 01001 00111 00110 01001 01011 10110 10000 01011 01001 00111 00110 01001 01011 10110
01101 01111 01011 01100 10000 10001 01101 01010 01101 01111 01011
decimal of each group: decimal of each group:
16 11 9 7 6 9 11 22 13 15 11 12 16 17 13 10 16 11 9 7 6 9 11 22 13 15 11
base32 encoding: base32 encoding:
Q L J H G J L W N P L M Q R N K Q L J H G J L W N P L
The last step translate each decimal value using table 3 in Base32 The last step translate each decimal value using table 3 in Base32
[RFC4648]. Thus the SASL mechanism name for the Kerberos V5 GSSAPI [RFC4648]. Thus the SASL mechanism name for the Kerberos V5 GSSAPI
mechanism is "GS2-QLJHGJLWNPLMQRNK". mechanism would be "GS2-QLJHGJLWNPL" and (because this mechanism
supports channel binding) "GS2-QLJHGJLWNPL-PLUS". But instead, we
assign the Kerberos V mechanism a non-hash-derived mechanism name:
"KerberosV-GS2" and "KerberosV-GS2-PLUS" (see Section 15).
4. SASL Authentication Exchange Message Format 4. SASL Authentication Exchange Message Format
4.1. SASL Messages 4.1. SASL Messages
During the SASL authentication exchange for GS2, a number of messages During the SASL authentication exchange for GS2, a number of messages
following the following format is sent between the client and server. following the following format is sent between the client and server.
This number is the same as the number of context tokens that the GSS-
API mechanism would normally require in order to establish a security
context (or to fail to do so).
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 Note that when using a GS2 mechanism the SASL client is always a GSS-
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 API initiator and the SASL server is always a GSS-API acceptor. Thus
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ the SASL client calls GSS_Init_sec_context() and the server calls
| Context length | GSS_Accept_sec_context().
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Wrap token length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| /
/ [Context token] /
/ --------------------/
/ ---------------------/ /
/--------------------/ /
/ [Wrap token] /
/ /
/ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The "Context length" and "Wrap token length" fields each contain a 4
octet (32 bit) integer encoded in network byte order, that indicate
the length of the "Context token" and "Wrap token" fields,
respectively. A length of 0 means that a particular field is not
present.
The "Context token" field, if present, contain a GSS-API context
establishment token generated by GSS_Init_sec_context or
GSS_Accept_sec_context.
The "Wrap token" field, if present, contain the output generated by
the GS2_Wrap function.
The fields need not be aligned to 32-bit a boundary. There is no
padding between fields.
Messages shorter than or equal to 8 octets are invalid. (The only
exception is the initial empty challenge sent by the server which may
be 0 octets.) From that it follows that at least one of the "Context
token length" and the "Wrap token length" integers MUST be non-zero
in a particular message. If the sum of the length integers is longer
than the entire message size, minus 8 octets for the length fields,
the message is invalid.
During any successful authentication exchange, the client and server
will each send exactly one (non-empty) "Wrap token".
Conforming implementations MUST NOT send additional data after the
above message syntax, and MUST ignore additional data. To
illustrate, implementations MUST NOT assume that the last "Wrap token
length" octets of the packet correspond to the "Wrap token", because
that would be incorrect if the packet contained additional data not
described by this document.
4.2. Context Token Field
The format of the "Context token" field inside the SASL token is
defined by each GSS-API mechanism, and the data is computed by (for
the client) GSS_Init_sec_context and (for the server)
GSS_Accept_sec_context.
4.2.1. Client side
The client calls GSS_Init_sec_context, passing in
input_context_handle of GSS_C_NO_CONTEXT (initially), mech_type of
the GSSAPI mechanism for which this SASL mechanism is registered, the
chan_binding is set to NULL, and targ_name equal to output_name from
GSS_Import_Name called with input_name_type of
GSS_C_NT_HOSTBASED_SERVICE (*) and input_name_string of
"service@hostname" where "service" is the service name specified in
the protocol's profile, and "hostname" is the fully qualified host
name of the server.
(*) - Clients MAY use name types other than
GSS_C_NT_HOSTBASED_SERVICE to import servers' acceptor names, but
only when they have a priori knowledge that the servers support
alternate name types. Otherwise clients MUST use
GSS_C_NT_HOSTBASED_SERVICE for importing acceptor names.
When calling the GSS_Init_sec_context the client SHOULD pass the
integ_req_flag of TRUE, but MAY set it to FALSE (see section 10
below). If the client intends to request a security layer, it MUST
also supply to the GSS_Init_sec_context a mutual_req_flag of TRUE,
and a sequence_req_flag of TRUE. If the client will be requesting a
security layer providing confidentiality protection, it MUST also
supply to the GSS_Init_sec_context a conf_req_flag of TRUE.
The client then responds with any resulting output_token.
If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED, then the
client expect the server to issue a token in a subsequent challenge
or as additional information to the outcome of the authentication.
The client pass the context token to another call to
GSS_Init_sec_context, repeating the procedure, until GSS_S_COMPLETE
is returned or authentication is aborted.
If the server sent a (non-empty) "Wrap token", the context token is
processed before processing the other tokens. This is required
because GSS_Unwrap may need the context to be in the state it is
after the "Context token" in the message has been processed.
When GSS_Init_sec_context returns GSS_S_COMPLETE, the client MUST
examine the context to ensure that it provides a level of protection
permitted by the client's security policy.
4.2.2. Server side
The server passes the first context token to GSS_Accept_sec_context
as input_token, setting input_context_handle to GSS_C_NO_CONTEXT
(initially), the chan_binding set to NULL, and a suitable
acceptor_cred_handle (see below).
Servers SHOULD use a credential obtained by calling GSS_Acquire_cred
or GSS_Add_cred for the GSS_C_NO_NAME desired_name and the OID of the
GSS-API mechanism for which this SASL mechanism is registered (*).
Servers MAY use GSS_C_NO_CREDENTIAL as an acceptor credential handle.
Servers MAY use a credential obtained by calling GSS_Acquire_cred or
GSS_Add_cred for the server's principal name(s) (**) and the GSS-API
mechanism for which this SASL mechanism is registered.
(*) - Unlike GSS_Add_cred the GSS_Acquire_cred uses an OID set of
GSS-API mechanism as an input parameter. The OID set can be created
by using GSS_Create_empty_OID_set and GSS_Add_OID_set_member. It can
be freed by calling the GSS_Release_oid_set.
(**) - Use of server's principal names having
GSS_C_NT_HOSTBASED_SERVICE name type and "service@hostname" format,
where "service" is the service name specified in the protocol's
profile, and "hostname" is the fully qualified host name of the
server, is RECOMMENDED. The server name can be generated by calling
GSS_Import_name with input_name_type of GSS_C_NT_HOSTBASED_SERVICE
and input_name_string of "service@hostname".
The server then responds with any resulting output_token.
The server pass any resulting challenge from the client to another
call to GSS_Accept_sec_context, repeating the procedure, until
GSS_S_COMPLETE is returned or authentication is aborted.
If the client sent a (non-empty) "Wrap token", the context token is
processed first.
Upon successful establishment of the security context (i.e.
GSS_Accept_sec_context returns GSS_S_COMPLETE) the server SHOULD
verify that the negotiated GSS-API mechanism is indeed the registered
one. This is done by examining the value of the mech_type parameter
returned from the GSS_Accept_sec_context call. If the value differ,
the SASL authentication MUST be aborted.
Upon successful establishment of the security context and if the
server used GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL to create acceptor
credential handle, the server SHOULD also check using the
GSS_Inquire_context that the target_name used by the client matches:
- the GSS_C_NT_HOSTBASED_SERVICE "service@hostname" name syntax,
where "service" is the service name specified in the application
protocol's profile, and "hostname" is the fully qualified host name
of the server.
When GSS_Accept_sec_context returns GSS_S_COMPLETE, the server MUST
examine the context to ensure that it provides a level of protection
permitted by the server's security policy.
4.3. Wrap Token Field
The Wrap token field MUST NOT be sent or received before the
PROT_READY flag is set locally (by GSS_Init_sec_context or
Gss_Accept_sec_context), or if the PROT_READY flag is never set,
before the context has been fully established. The Wrap token field
does not have to be present directly when the PROT_READY flag is set.
During any exchange, exactly one Wrap token field is sent in each
direction. The GS2_Wrap function is defined below, and its inputs
MUST follow the format described below. If not exactly one Wrap
token is received by the client and by the server, the authentication
MUST fail.
If PROT_READY is never set by GSS_Init_sec_context or
GSS_Accept_sec_context, the flag is implied by successful context
negotiation. This is for GSS-API v1 mechanisms that do not support
PROT_READY, or for GSS-API mechanism that do not provide per-message
protection. This may result in a SASL token consisting of a context
token length of 0 and a Wrap token.
The entity that sends the first Wrap token will have to specify a
bitmap of supported and preferred quality of protection schemes. The
entity that replies to the Wrap tokens will pick a scheme, based on
the bitmask and local policy. The quality of protection values are
defined in section 9.
Two pairs of input formats to the GS2_Wrap function are defined. The
first pair is used when the client sends the Wrap token first and the
server responds. The other pair is used when the server sends the
Wrap token first and the client responds.
The inputs below are passed to GS2_Wrap, and the output is used as
the Wrap token value.
Some fields in the input formats are optional, indicated by brackets
("[" and "]") and explained by the text below.
4.3.1. The GS2_Wrap function
The GS2_Wrap function have two implementations, and which one is used
depends on whether the negotiated GSS-API context supports per-
message protection. When a context is successfully negotiated (i.e.,
when GSS_S_COMPLETE is returned from, for clients,
GSS_Init_sec_context, or, for servers, GSS_Accept_sec_context) and
the output variable integ_avail is FALSE, then GSS_Wrap cannot be
used and instead we define GS2_Wrap to be the identity function.
When integ_avail is negotiated TRUE, the GS2_Wrap is identical to
calling the GSS_Wrap function with conf_flag set to FALSE and using
the generated output_message as the output data.
4.3.2. Client first GS2_Wrap input
The input to GS2_Wrap when the client sends a Wrap token field first
is as follows.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 All the SASL authentication messages exchanged are exactly the same
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 as the security context tokens of the GSS-API mechanism, except for
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ the initial security context token.
| client_qops | client_maxbuf |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| channel_binding_length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[client_cbqops]| [channel_binding_data] /
/ /
/ / [authzid] /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The "client_qops" integer indicate the client's preferred quality of Also, the server SHOULD refrain from sending GSS-API error tokens
protection if channel bindings are absent or the negotiation of the (tokens output by GSS_Init_sec_context() or GSS_Accept_sec_context()
channel binding fails. The quality of protection values are defined along with a major status code other than GSS_S_COMPLETE or
in section 9. GSS_S_CONTINUE_NEEDED) as SASL applications handle error conditions.
The "client_maxbuf" field indicate the maximum protected buffer size The initial security context token is modified as follows:
the client can receive in network byte order. It MUST be 0 if the o The [RFC2743] section 3.1 initial context token header MUST be
client doesn't advertise support for any security layer, the server removed if present, and its presence is noted (see below). On the
MUST verify this. Small values can make it impossible for the server server side this header MUST be recomputed and restored prior to
to send any protected message to the client, due to the overhead passing the token to GSS_Accept_sec_context().
added by GSS_Wrap, and the server MAY reject the authentication if it o A GS2 header MUST be prefixed to the resulting initial context
detects this situation. token. This header has the form given below in ABNF [RFC5234].
The "channel_binding_length" is a network byte order integer that UTF8-1-safe = %x01-2B / %x2D-3C / %x3E-7F
indicate the length of the "channel_binding_data" field. ;; As UTF8-1 in RFC 3629 except
;; NUL, "=", and ",".
UTF8-2 = <as defined in RFC 3629 (STD 63)>
UTF8-3 = <as defined in RFC 3629 (STD 63)>
UTF8-4 = <as defined in RFC 3629 (STD 63)>
UTF8-char-safe = UTF8-1 / UTF8-2 / UTF8-3 / UTF8-4
The optional field "client_cbqops" is present only if saslname = 1*(UTF8-char-safe / "=2C" / "=3D")
"channel_binding_length" is non-zero, and indicate the client's gs2-authzid = "a=" saslname
preferred quality of protection if channel binding negotiation ;; GS2 has to transport an authzid since
succeeds. The quality of protection values are defined in section 9. ;; the GSS-API has no equivalent
gs2-std-mech = "F"
;; "F" means the mechanism is NOT is a
;; standard GSS-API mechanism in that the
;; RFC2743 section 3.1 header was missing
gs2-cb-flag = "n" / "y" / "p"
;; GS2 channel binding (CB) flag
;; "n" -> client does not support CB
;; "y" -> client supports CB, thinks the server
;; does not
;; "p" -> client supports and used CB
gs2-header = [gs2-std-mech] gs2-cb-flag [gs2-authzid] ","
;; The GS2 header is gs2-header.
;; gs2-std-mech is present if the GSS-API
;; mechanism's initial context token did not
;; have the standard header defined in
;; [RFC2743] section 3.1.
The optional field "channel_binding_data" is present only if The GS2 header is also prepended to the application's channel binding
"channel_binding_length" is non-zero, and contain the actual channel data. If the application did not provide channel binding data then
the GS2 header is used as though it were application-provided channel
binding data. binding data.
The optional field "authzid" contain the authorization identity. The The "gs2-authzid" holds the SASL authorization identity. It is
authorization identity is encoded using UTF-8 [RFC3629]. The encoded using UTF-8 [RFC3629] with three exceptions:
authorization identity is not terminated with the NUL (U+0000) o The NUL characters is forbidden as required by section 3.4.1 of
character. Servers MUST validate that the authorization identity is [RFC4422].
valid UTF-8.
4.3.3. Server last GS2_Wrap input
The input to GS2_Wrap when the server sends a Wrap token field, after
receiving the Wrap token in the previous section from the client, is
as follows.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| server_qop | server_maxbuf |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The "server_qop" field integer indicate the selected quality of
protection. The quality of protection values are defined in section
9.
The "server_maxbuf" field indicate the maximum protected data buffer
size the server can receive in network byte order. It MUST be 0 if
the server doesn't advertise support for any security layer, the
client MUST verify this. Small values can make it impossible for the
client to send any protected message to the server, due to the
overhead added by GSS_Wrap, and the client MAY reject the
authentication if it detects this situation.
4.3.4. Server first GS2_Wrap input
The input to GS2_Wrap when the server sends the Wrap token first is
as follows.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| server_qops | server_maxbuf |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[server_cbqops]| [channel_binding_data] /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The "server_qops" field is an integer indicating the server's
preferred quality of protection if channel bindings are absent or the
negotiation of the channel binding fails. The quality of protection
values are defined in section 9.
The "server_maxbuf" is the same as above.
The optional field "server_cbqops" indicate the server's preferred
quality of protection if channel binding negotiation succeeds. The
quality of protection values are defined in section 9.
The optional field "channel_binding_data" contain the actual channel o The server MUST replace any occurance of "," (comma) in the string
binding data. with "=2C".
o The server MUST replace any occurance of "=" (comma) in the string
with "=3D".
4.3.5. Client last GS2_Wrap input If a server sends a string that does not conform to this syntax, the
client MUST reject authentication.
The input to GS2_Wrap when the clients sends a Wrap token field, 5. Channel Bindings
after receiving the Wrap token in the previous section from the
server, is as follows.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 If the server supports channel binding then it must list both forms
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 of the SASL mechanism name for each GSS-API mechanism supported via
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ GS2 (i.e., GSS-API mechanisms that support channel binding).
| client_qop | client_maxbuf |
/ [authzid] |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The "client_qop" field is the selected quality of protection. The If the client supports channel binding and the server does not (i.e.,
quality of protection values are defined in section 9. the server did not advertise the -PLUS names) then the client MUST
either fail authentication or it MUST set the channel binding flag in
the GS2 initial security context token to "y" and MUST NOT include
application channel binding data in the GSS-API channel binding input
to GSS_Init_sec_context().
The "client_maxbuf" and "authzid" fields are as above. If the client supports channel binding and the server also does then
the client MUST set the channel binding flag in the GS2 initial
security context token to "p" and MUST include application channel
binding data in the GSS-API channel binding input to
GSS_Init_sec_context().
5. Channel Bindings If the client does not support channel binding then it MUST set the
channel binding flag in the GS2 initial security context token to "n"
and MUST NOT include application channel binding data in the GSS-API
channel binding input to GSS_Init_sec_context().
The GS2 mechanism provide its own channel binding mechanism, instead Upon receipt of the initial authentication message the server checks
of using the "chan_binding" parameter in the GSS-API context the channel binding flag in the GS2 header and constructs a channel
functions. The reason for this is that the GS2 mechanism provide an binding data input for GSS_Accept_sec_context() accordingly. If the
option to proceed even if the channel bindings does not match. The client channel binding flag was "n" then the server MUST NOT include
GSS-API framework specifies that authentication cannot proceed if application channel binding data in the GSS-API channel binding input
channel bindings do not match. to GSS_Accept_sec_context(). If the client channel binding flag was
"y" and the server does support channel binding then the server MUST
fail authentication. If the client channel binding flag was "p" the
server MUST include application channel binding data in the GSS-API
channel binding input to GSS_Accept_sec_context().
Client and servers MUST set the "chan_binding" parameter in the calls For more discussions of channel bindings, and the syntax of the
to GSS_Init_sec_context and GSS_Accept_sec_context, respectively, to channel binding data for various security protocols, see [RFC5056].
NULL.
Implementations SHOULD set the "client_cbqops" and "server_cbqops" to 6. Examples
no security layer and instead depend on the session security afforded
by the bound-in channel.
In order to accomodate the requirement in [RFC5056] "Authentication Example #1: a one round-trip GSS-API context token exchange, no
frameworks and mechanisms that support channel binding MUST channel binding, optional authzid given.
communicate channel binding failure to applications" implementations
assert a bit in the security layer bitmask (see Section 9) on
negotiation failures.
Use of no SASL security layers in combination with channel binding C: Request authentication exchange
should provide better performance than using SASL security layers S: Empty Challenge
over secure channels, and better security characteristics than using C: nauthzid=someuser, <initial context token with standard
no SASL security layers over secure channels without channel binding. header removed>
S: Send reply context token as is
C: Empty message
S: Outcome of authentication exchange
For more discussions of channel bindings, and the syntax of the Example #2: a one and one half round-trip GSS-API context token
channel binding data for various security protocols, see [RFC5056]. exchange.
For easy reference, the channel binding format used for The Transport
Layer Security (TLS) Protocol [RFC4346] is specified in
[I-D.altman-tls-channel-bindings].
6. Protocol Overview C: Request authentication exchange
S: Empty Challenge
C: nauthzid=someuser, <initial context token with standard
header removed>
S: Send reply context token as is
C: Send reply context token as is
S: Outcome of authentication exchange
This section describe several high-level protocol exchanges. The Example #3: a two round-trip GSS-API context token exchange.
descriptions do not assume any properties of the actual GSS-API
mechanism. Protocol profiles, GSS-API mechanism specific behaviour,
and to some extent implementation and policy choices, will dictate
which packets are sent in what order. The protocol exchanges are
examples and other exchanges are permitted and will occur.
An informal pseudo-language is used to describe the packets sent C: Request authentication exchange
below. GS2_Wrap refer to the operation of calling GS2_Wrap on the S: Empty Challenge
indicated fields, formatted in the structures described earlier. C: nauthzid=someuser, <initial context token with standard
GSS_Init_sec_context and GSS_Accept_sec_context refer to the context header removed>
token generated by calling the respective function. The GS2 SASL S: Send reply context token as is
Message is denoted as [Context_token, Wrap_token], and the length C: Send reply context token as is
fields are not mentioned. S: Send reply context token as is
C: Empty message
S: Outcome of authentication exchange
An authentication exchange using GS2 may look like: Example #4: using channel binding.
C: Request authentication exchange C: Request authentication exchange
S: Empty Challenge S: Empty Challenge
C: Send [GSS_Init_sec_context, ""] token C: yauthzid=someuser, <initial context token with standard
... header removed>
S: After PROT_READY is set, S: Send reply context token as is
send [GSS_Accept_sec_context,
GS2_Wrap(server_qops | server_maxbuf]
...
C: After PROT_READY is set,
send [GSS_Init_sec_context,
GS2_Wrap (client_qop | client_maxbuf | authzid)]
S: Send [GSS_Accept_sec_context, ""] token
C: Send [GSS_Init_sec_context, ""] token
... ...
S: Outcome of authentication exchange
GSS-API authentication is always initiated by the client. The SASL GSS-API authentication is always initiated by the client. The SASL
framework allows either the client and server to initiate framework allows either the client and server to initiate
authentication. In GS2 the server will send an initial empty authentication. In GS2 the server will send an initial empty
challenge (zero byte string) if it has not yet received a token from challenge (zero byte string) if it has not yet received a token from
the client. See section 3 of [RFC4422]. the client. See section 3 of [RFC4422].
The next example illustrate when the client sends its Wrap token 7. Authentication Conditions
first.
C: Request authentication exchange Authentication MUST NOT succeed if any one of the following
S: Empty Challenge conditions are true:
C: Send [GSS_Init_sec_context, ""] token
...
C: After PROT_READY is set,
send [GSS_Init_sec_context,
GS2_Wrap(client_qops | client_maxbuf |
channel_binding_length=0 | authzid)]
...
S: After PROT_READY is set,
send [GSS_Accept_sec_context,
GS2_Wrap (server_qop | server_maxbuf)]
C: Send [GSS_Init_sec_context, ""] token
S: Send [GSS_Accept_sec_context, ""] token
...
S: Outcome of authentication exchange
If the protocol profile support the optional initial client response, o GSS_Init/Accept_sec_context() return anything other than
the first empty message can be optimized away, and then the protocol GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE.
exchange will look like: o If the client's GS2 channel binding flag was "y" and the server
supports channel binding.
o If the client requires use of channel binding and the server did
not advertise support for channel binding.
o Authorization of client principal (i.e., src_name in
GSS_Accept_sec_context()) to requested authzid failed.
o If the client is not authorized to the requested authzid or an
authzid could not be derived from the client's initiator principal
name.
C: Request authentication exchange and 8. GSS-API Parameters
send [GSS_Init_sec_context, ""] token
S: Send [GSS_Accept_sec_context, ""] token
...
S: Outcome of authentication exchange
If the protocol profile can also send additional information when GS2 does not use any GSS-API per-message tokens. Therefore the
indicating the outcome of the authentication, then the protocol setting of req_flags related to per-message tokens is irrelevant.
exchange will look like:
C: Request authentication exchange and 9. Naming
send [GSS_Init_sec_context, ""] token
S: Send [GSS_Accept_sec_context, ""] token
...
C: Send [GSS_Init_sec_context, ""] token
S: Indicate successful authentication and
send [GSS_Accept_sec_context, ""] token
as additional information.
If the PROT_READY flag is never set by the GSS-API mechanism, the There's no requirement that any particular GSS-API name-types be
GS2_Wrap message will be sent after the context has been established. used. However, typically SASL servers will have host-based acceptor
The protocol may look like: principal names (see [RFC2743] section 4.1) and clients will
typically have username initiator principal names (see [RFC2743]
section 4.2).
C: Request authentication exchange 10. GSS_Mechanism_SASLname call
...
S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and outputs
a token, send ["", GS2_Wrap(server_qops | server_maxbuf)]
C: GSS_Init_sec_context() returns GSS_S_COMPLETE and does not
output a token, send
["", GS2_Wrap(client_qop | client_maxbuf |
channel_binding_length=0 | authzid)]
S: Outcome of authentication exchange
Alternatively, if the client finishes first, it may look like: To allow SASL implementations to query for the SASL mechanism name of
a GSS-API mechanism, we specify a new GSS-API function for this
purpose.
C: Request authentication exchange Inputs:
...
C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a
token, send ["", GS2_Wrap(client_qops | client_maxbuf |
channel_binding_length=0 | authzid)]
S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not
output a token, send ["", GS2_Wrap(server_qop | server_maxbuf |
channel_binding_length=0)]
S: Outcome of authentication exchange
Adding channel bindings to the last examples, gives the following o desired_mech OBJECT IDENTIFIER
complex situation. Here the client request confidentiality for the
application data if channel binding fails but no SASL security layer
if channel binding negotiation succeeds:
C: Request authentication exchange Outputs:
...
C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a
token, send [GSS_Init_sec_context,
GS2_Wrap(client_qops=0x04 | client_maxbuf |
channel_binding_length=n |
client_cbqops=0x01 | channel_binding_data |
authzid)]
S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not
output a token, send ["",
GS2_Wrap(server_qop | server_maxbuf |
channel_binding_length=0)]
S: Outcome of authentication exchange
If the protocol support initial data from the client, and the o sasl_mech_name OCTET STRING -- SASL name for this mechanism
PROT_READY flag is set in the client after the first call to (really, ASCII)
GSS_Init_sec_context, and the server can send additional data to the
client when indicating successful authentication, the following
protocol exchange will occur.
C: Request authentication exchange and o mech_name UTF-8 STRING -- name of this mechanism, possibly
send [GSS_Init_sec_context, localized
GS2_Wrap (client_qops | client_maxbuf |
channel_binding_length=0 | authzid)] token
S: Indicate successful authentication and
send [GSS_Accept_sec_context,
GS2_Wrap(server_qop | server_maxbuf)] token
as additional information.
The last example illustrate the optimal (round-trip wise) o mech_description UTF-8 STRING -- possibly localized
authentication possible using this protocol. description of this mechanism.
7. Authentication Conditions Return major_status codes:
Authentication MUST NOT succeed if any one of the following o GSS_S_COMPLETE indicates successful completion, and that output
conditions are true: parameters holds correct information.
o An invalid SASL token is received (e.g., length field checks o GSS_S_BAD_MECH indicates that a disred_mech was unsupported by
discussed in section 4.1 fail). the GSS-API implementation.
o GSS_Init/Accept_sec_context() return anything other than The GSS_Mechanism_SASLname call is used to get the SASL mechanism
GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE. name for a GSS-API mechanism. It also returns a name and
description of the mechanism in a human readable form.
o GSS_Wrap() returns anything other than GSS_S_COMPLETE. 10.1. gss_mechanism_saslname
o GSS_Unwrap() returns anything other than GSS_S_COMPLETE. (There The C binding for the GSS_Mechanism_SASLname call is as follows.
can't be supplementary status codes in GS2 at this point, so any
indications of out of order processing or replays is fatal.)
o The token returned from GSS_Unwrap fail to parse correctly (e.g., OM_uint32 gss_mechanism_saslname(
too short, invalid maximum buffer size) as the expected Wrap OM_uint32 *minor_status,
token. const gss_OID desired_mech,
gss_buffer_t sasl_mech_name,
gss_buffer_t mech_name,
gss_buffer_t mech_description,
);
o Local policy reject the attempt. For example, client and server Purpose:
can't agree on qop proposal, or channel binding negotiation
failed.
o (server-side) Authorization of client principal (i.e., src_name in Output the SASL mechanism name of a GSS-API mechanism. Also output
GSS_Acecpt_sec_context) to requested authzid failed. a name and description of the mechanism in a human readable form.
8. GSS-API Parameters Parameters:
The implementation MAY set any GSSAPI flags or arguments not minor_status Integer, modify
mentioned in this specification as is necessary for the Mechanism specific status code.
implementation to enforce its security policy.
9. Security Layer Bits Function value: GSS status code
The fields "client_qops", "server_qops", "client_cbqops", and GSS_S_COMPLETE Successful completion
"server_cbqops" are bit-fields that encode a set of requested quality
of protection. The fields "client_qop" and "server_qop" encode a
single quality of protection value.
The "client_qop" and "server_qop" will contains the chosen security GSS_S_BAD_MECH The desired_mech OID is unsupported
layer.
Note that "client_qop" and "server_qop" MAY indicate a quality of 11. GSS_Inquire_mech_for_SASLname call
protection that was not offered by the server and client,
respectively. This SHOULD only be used when the server or client
(respectively) would otherwise fail the entire authentication
exchange. The server/client that receives a "client_qop"/
"server_qop" MUST verify that it corresponds to an acceptable
security level.
Whether the channel binding negotiation is successful or not may To allow SASL clients to more efficiently identify which GSS-API
influence the security layer selection. The most significant bit is mechanism a particular SASL mechanism name refers to we specify a new
used to signal failed channel binding negotiation. Implementations GSS-API utility function for this purpose.
MUST set the bit if channel bindings were provided from the other end
and a local channel binding is absent or not equal. Implementation
MUST clear the bit otherwise.
The security layers and their corresponding bit-masks are as follows: Inputs:
1 No security layer. o sasl_mech_name OCTET STRING -- SASL name of mechanism
2 Integrity protection. (really, ASCII)
Sender calls GSS_Wrap with conf_flag set to FALSE.
4 Confidentiality protection.
Sender calls GSS_Wrap with conf_flag set to TRUE.
8-64 Reserved.
128 Channel binding negotiation failed.
The bit-masks 8-64 are reserved and may be defined in the future; Outputs:
bits which are not understood MUST be negotiated off.
When decoding any received data with GSS_Unwrap the major_status o mech_type OBJECT IDENTIFIER -- must be explicit mechanism,
other than the GSS_S_COMPLETE MUST be treated as a fatal error. and not "default" specifier
For integrity and confidentiality protection, GS2 negotiates the Return major_status codes:
maximum size of the output_message to send. Implementations can use
the GSS_Wrap_size_limit call to determine the corresponding maximum
size input_message.
9.1. Examples o GSS_S_COMPLETE indicates successful completion, and that output
parameters holds correct information.
When no security layer is negotiated the octet will encode an integer o GSS_S_BAD_MECH indicates that no supported GSS-API mechanism
1 as follows. had the indicated sasl_mech_name.
7 6 5 4 3 2 1 0 The GSS_Inquire_mech_for_SASLname call is used to get the GSS-API
+-+-+-+-+-+-+-+-+ mechanism OID associated with a SASL mechanism name.
|0|0|0|0|0|0|0|1|
+-+-+-+-+-+-+-+-+
When integrity is negotiated the octet will encode an integer 2 as 11.1. gss_inquire_mech_for_saslname
The C binding for the GSS_Inquire_mech_for_SASLname call is as
follows. follows.
7 6 5 4 3 2 1 0 OM_uint32 gss_inquire_mech_for_saslname(
+-+-+-+-+-+-+-+-+ OM_uint32 *minor_status,
|0|0|0|0|0|0|1|0| const gss_buffer_t sasl_mech_name,
+-+-+-+-+-+-+-+-+ gss_OID *mech_type
);
When confidentiality is negotiated, and channel binding negotiation Purpose:
failed, the octet will encode an integer 128+4=132 as follows.
7 6 5 4 3 2 1 0 Output GSS-API mechanism OID of mechanism associated with given
+-+-+-+-+-+-+-+-+ sasl_mech_name.
|1|0|0|0|0|1|0|0|
+-+-+-+-+-+-+-+-+
When a bitmask that indicates that all security layers are Parameters:
acceptable, the octet will encode an integer 1+2+4=7 as follows.
7 6 5 4 3 2 1 0 minor_status Integer, modify
+-+-+-+-+-+-+-+-+ Mechanism specific status code.
|0|0|0|0|0|1|1|1|
+-+-+-+-+-+-+-+-+
10. Non-integrity capable GSS-API mechanisms Function value: GSS status code
Mechanisms that do not support integrity can be used with GS2, but GSS_S_COMPLETE Successful completion
some security features cannot be provided, in particular including
channel bindings, security layers, and integrity protection of the
authorization identity.
Channel bindings and security layers MUST NOT be negotiated when the GSS_S_BAD_MECH The desired_mech OID is unsupported
GSS-API mechanism do not support integrity. It should also be
understood that the authorization identity is not integrity
protected.
Whether a mechanism supports integrity or not, for the purpose of 12. Security Layers
GS2, is decided by whether the integ_avail output variable from
GSS_Init_sec_context (for clients) and GSS_Accept_sec_context (for
servers). If integ_avail is FALSE, integrity is not supported.
There is a potential interoperability problem if a client call GS2 does not currently support SASL security layers. Applications
GSS_Init_sec_context with integ_req_flag of TRUE and the context that need integrity protection or confidentiality and integrity
negotiation fails because the mechanism (due to design, the protection MUST use either channel binding to a secure external
capability of the credentials, or policy) cannot provide per-message channel or a SASL mechanism that does provide security layers.
protection. Calling GSS_Init_sec_context with a FALSE integ_req_flag
instead is not optimal, since a mechanism may then negotiate less
security than it would have otherwise done.
It is RECOMMENDED that implementations only ever call NOTE WELL: the GS2 client's first authentication message MUST always
GSS_Init_sec_context with a integ_req_flag of FALSE when it knows start with "F", "n", "y" or "p", otherwise the server MUST fail
that the particular GSS-API mechanism will not be able to negotiate authentication. This will allow us to add support for security
per-message protection services. layers in the future if it were to become necessary. Note that
adding security layer support to GS2 must not break existing SASL/GS2
applications, which can be accomplished by making security layers
optional.
Implementations MAY have a policy to disallow non-integrity capable [A sketch of how to add sec layer support... Add a way for the
mechanisms, and always call GSS_Init_sec_context with the client to: a) make an offer of sec layers and max buffer, b) make an
integ_req_flag set to TRUE. opportunistic selection of sec layer and buffer size, both in the
first client authentication message, and starting with a character
other than "F", "n", "y" or "p". The server could accept the
opportunistic proposal (reply token prefixed with a byte indicating
acceptance) or reject it along with an indication of the server's
acceptable sec layers and max buffer size. In the latter case the
GSS-API security context token exchange must be abandoned and
recommenced, although this would be a detail of the GS2 bridge not
exposed to the SASL application. The negotiation would be protected
via GSS channel binding, as with the rest of GS2.]
11. Interoperability with the SASL "GSSAPI" mechanism 13. Interoperability with the SASL "GSSAPI" mechanism
The Kerberos V5 GSS-API [RFC1964] mechanism is currently used in SASL The Kerberos V5 GSS-API [RFC1964] mechanism is currently used in SASL
under the name "GSSAPI", see GSSAPI mechanism [RFC4752]. The under the name "GSSAPI", see GSSAPI mechanism [RFC4752]. The
Kerberos V5 mechanism may also be used with the GS2 family. This Kerberos V5 mechanism may also be used with the GS2 family. This
causes an interopability problem, which is discussed and resolved causes an interopability problem, which is discussed and resolved
below. below.
11.1. The interoperability problem 13.1. The interoperability problem
The SASL "GSSAPI" mechanism is not wire-compatible with the Kerberos
V GSS-API mechanism used as a SASL GS2 mechanism.
If a client (or server) only support Kerberos V5 under the "GSSAPI" If a client (or server) only support Kerberos V5 under the "GSSAPI"
name and the server (or client) only support Kerberos V5 under the name and the server (or client) only support Kerberos V5 under the
GS2 family, the authentication negotiation will fail. GS2 family, the mechanism negotiation will fail.
11.2. Resolving the problem 13.2. Resolving the problem
If the Kerberos V5 mechanism is supported under GS2 in a server, the If the Kerberos V5 mechanism is supported under GS2 in a server, the
server SHOULD also support Kerberos V5 through the "GSSAPI" server SHOULD also support Kerberos V5 through the "GSSAPI"
mechanism, to avoid interoperability problems with older clients. mechanism, to avoid interoperability problems with older clients.
Reasons for violating this recommendation may include security Reasons for violating this recommendation may include security
considerations regarding the absent features in the GS2 mechanism. considerations regarding the absent features in the GS2 mechanism.
The Kerberos V5 "GSSAPI" SASL mechanism lack channel bindings, which The SASL "GSSAPI" mechanism lacks support for channel bindings, which
could enable certain tunnel attacks [mitm]. means that using an external secure channel may not be sufficient
protection against active attackers (see [RFC5056], [mitm]).
11.3. Additional recommendations 13.3. Additional Recommendations
It is RECOMMENDED to negotiate Kerberos V5 through the GS2 mechanism If the application requires security layers then it MUST prefer the
rather than through the "GSSAPI" mechanism, if both are available, SASL "GSSAPI" mechanism over "KerberosV-GS2".
because of the additional features in the GS2 mechanism.
12. Mechanisms that negotiate other mechanisms If the application can use channel binding to an external channel
then it is RECOMMENDED that it select Kerberos V5 through the GS2
mechanism rather than the "GSSAPI" mechanism.
14. Mechanisms that negotiate other mechanisms
A GSS-API mechanism that negotiate other mechanisms interact badly A GSS-API mechanism that negotiate other mechanisms interact badly
with the SASL mechanism negotiation. There are two problems. The with the SASL mechanism negotiation. There are two problems. The
first is an interoperability problem and the second is a security first is an interoperability problem and the second is a security
concern. The problems are described and resolved below. concern. The problems are described and resolved below.
12.1. The interoperability problem 14.1. The interoperability problem
If a client implement GSS-API mechanism X, potentially negotiated If a client implement GSS-API mechanism X, potentially negotiated
through a GSS-API mechanism Y, and the server also implement GSS-API through a GSS-API mechanism Y, and the server also implement GSS-API
mechanism X negotiated through a GSS-API mechanism Z, the mechanism X negotiated through a GSS-API mechanism Z, the
authentication negotiation will fail. authentication negotiation will fail.
12.2. Security problem 14.2. Security problem
If a client's policy is to first prefer GSSAPI mechanism X, then non- If a client's policy is to first prefer GSSAPI mechanism X, then non-
GSSAPI mechanism Y, then GSSAPI mechanism Z, and if a server supports GSSAPI mechanism Y, then GSSAPI mechanism Z, and if a server supports
mechanisms Y and Z but not X, then if the client attempts to mechanisms Y and Z but not X, then if the client attempts to
negotiate mechanism X by using a GSS-API mechanism that negotiate negotiate mechanism X by using a GSS-API mechanism that negotiate
other mechanisms (such as SPNEGO), it may end up using mechanism Z other mechanisms (such as SPNEGO), it may end up using mechanism Z
when it ideally should have used mechanism Y. For this reason, the when it ideally should have used mechanism Y. For this reason, the
use of GSS-API mechanisms that negotiate other mechanisms are use of GSS-API mechanisms that negotiate other mechanisms are
disallowed under GS2. disallowed under GS2.
12.3. Resolving the problems 14.3. Resolving the problems
GSS-API mechanisms that negotiate other mechanisms MUST NOT be used GSS-API mechanisms that negotiate other mechanisms MUST NOT be used
with the GS2 SASL mechanism. This specifically exclude negotiating with the GS2 SASL mechanism. Specifically SPNEGO [RFC4178] MUST NOT
SPNEGO [RFC4178] under GS2. be used as a GS2 mechanism. To make this easier for SASL
implementations we assign a symbolic SASL mechanism name to the
SPNEGO GSS-API mechanism: "SPNEGO". SASL client implementations MUST
NOT choose the SPNEGO mechanism under any circumstances. [What about
SASL apps that don't do mechanism negotiation? Probably none exist.
But if any did then presumably it would OK to use the SPNEGO
mechanism, no? -Nico]
The GSS_C_MA_MECH_NEGO attribute of GSS_Inquire_attrs_for_mech() The GSS_C_MA_MECH_NEGO attribute of GSS_Inquire_attrs_for_mech()
[I-D.ietf-kitten-extended-mech-inquiry] can be used to identify such [I-D.ietf-kitten-extended-mech-inquiry] can be used to identify such
mechanisms. mechanisms.
13. IANA Considerations 15. IANA Considerations
The SASL names for the Kerberos V GSS-API mechanism [RFC4121]
[RFC1964] used via GS2 SHALL be "KerberosV-GS2" and "KerberosV-GS2-
PLUS".
The SASL names for the SPNEGO GSS-API mechanism used via GS2 SHALL be
"SPNEGO" and "SPNEGO-PLUS". As described in Section 14 the SASL
"SPNEGO" and "SPNEGO-PLUS" MUST NOT be used. These names are
provided as a convienience for SASL library implementors.
The IANA is advised that SASL mechanism names starting with "GS2-" The IANA is advised that SASL mechanism names starting with "GS2-"
are reserved for SASL mechanisms which conform to this document. The are reserved for SASL mechanisms which conform to this document. The
IANA is directed to place a statement to that effect in the sasl- IANA is directed to place a statement to that effect in the sasl-
mechanisms registry. mechanisms registry.
The IANA is further advised that SASL mechanisms MUST NOT end in
"-PLUS" except as a version of another mechanism name simply suffixed
with "-PLUS".
Subject: Registration of SASL mechanism GS2-* Subject: Registration of SASL mechanism GS2-*
SASL mechanism prefix: GS2- SASL mechanism prefix: GS2-
Security considerations: RFC [THIS-DOC] Security considerations: RFC [THIS-DOC]
Published specification: RFC [THIS-DOC] Published specification: RFC [THIS-DOC]
Person & email address to contact for further information: Person & email address to contact for further information:
Simon Josefsson <[email protected]> Simon Josefsson <[email protected]>
Intended usage: COMMON Intended usage: COMMON
Owner/Change controller: [email protected] Owner/Change controller: [email protected]
Note: Compare with the GSSAPI and GSS-SPNEGO mechanisms. Note: Compare with the GSSAPI and GSS-SPNEGO mechanisms.
14. Security Considerations 16. Security Considerations
The security provided by GS2 depends on the security provided by the
GSS-API mechanism. If the mechanism do not provide integrity
protection, the authorization identity can be replaced by a man in
the middle, and channel bindings and security layers cannot be
negotiated. Therefor, it is generally recommended against using any
GSS-API mechanism widely on the Internet that do not support
integrity.
Because the negotiation of a particular GSS-API mechanism may be done
in the clear, it is important for the GSS-API mechanisms to be
designed such that an active attacker cannot obtain an authentication
with weaker security properties by modifying the challenges and
responses. This is a generic design critera for the GSS-API
mechanisms used under GS2.
GS2 permits channel binding negotiation to fail. Implementation may Security issues are also discussed throughout this memo.
have a local policy to reject authentication attempts in this case.
When a server or client supports multiple GSS-API mechanisms, each of The security provided by a GS2 mechanism depends on the security of
which has a different security strength, it is possible for an active the GSS-API mechanism. The GS2 mechanism family depends on channel
attacker to cause a party to use the least secure mechanism binding support, so GSS-API mechanisms that do not support channel
supported. This problem and a solution is discussed in section 6.1.2 binding cannot be successfully used as SASL mechanisms via the GS2
of [RFC4422], but some additional methods to mitigate the problem bridge.
include:
1. Use of an integrity protected transport, such as TLS [RFC4346]. Because GS2 does not support security layers it is strongly
To protect against certain tunnel attacks [mitm], channel RECOMMENDED that channel binding to a secure external channel be
bindings need to be used. used. Successful channel binding eliminates the possibility of man-
in-the-middle (MITM) attacks, provided that the external channel and
its channel binding data are secure and provided that the GSS-API
mechanism used is secure. Authentication failure because of channel
binding failure may indicate that an MITM attack was attempted, but
note that a real MITM attacker would likely attempt to close the
connection to the client or simulate network partition , thus MITM
attack detection is heuristic.
2. A client or server which supports mechanisms of different Use of channel binding will also protect the SASL mechanism
strengths should have a configurable minimum strength that it negotiation -- if there is no MITM then the external secure channel
will use. It is not sufficient for this minimum strength check will have protected the SASL mechanism negotiation.
to only be on the server, since an active attacker can change
which mechanisms the client sees as being supported, causing the
client to send authentication credentials for its weakest
supported mechanism. This solution, however, is not guaranteed
to lead to the most secure mechanism supported by both parties,
and is therefor only recommended as an additional precaution.
The channel binding is sent without privacy protection and knowledge The channel binding data MAY be sent (byt the actual GSS-API
of it is assumed to provide no advantage to an attacker. This is a mechanism used) without confidentiality protection and knowledge of
property that has to be considered when specifying channel bindings it is assumed to provide no advantage to an MITM (who can, in any
for a security protocol that will be used with GS2. case, compute the channel binding data independently). If the
external channel does not provide confidentiality protection and the
GSS-API mechanism does not provide confidentiality protection for the
channel binding data, then passive attackers (eavesdroppers) can
recover the channel binding data. See [RFC5056].
When constructing the input_name_string, the client should not When constructing the input_name_string for GSS_Import_name() with
the GSS_C_NT_HOSTBASED_SERVICE name type, the client SHOULD NOT
canonicalize the server's fully qualified domain name using an canonicalize the server's fully qualified domain name using an
insecure or untrusted directory service, such as the Domain Name insecure or untrusted directory service, such as the Domain Name
System [RFC1034] without DNSSEC [RFC4033]. System [RFC1034] without DNSSEC [RFC4033].
The GS2 protocol hard code the SHA-1 algorithm for computing the GS2 does not directly use any cryptographic algorithms, therefore it
mechanism names. It is not possible to negotiate another hash is automatically "algorithm agile", or, as agile as the GSS-API
algorithm. However, no traditional cryptographic hash properties mechanisms that are available for use in SASL apoplications via GS2.
(such as collision resistance or pre-image resistance) are required
nor assumed. The required and assumed property is that it is
statistically unlikely that two different DER-encoded OID's share the
same first 10 octets of the SHA-1 value. It is possible to
practically confirm that the SHA-1 algorithm has the necessary
property, by testing many different inputs.
Additional security considerations are in the SASL and GSSAPI The security considerations of SASL [RFC4422], the GSS-API [RFC2743],
specifications. Additional security considerations for the Kerberos channel binding [RFC5056], any external channels (such as TLS,
V5 GSSAPI mechanism can be found in [RFC1964]. We stress that [RFC5246], channel binding types (see the IANA channel binding type
service names should not be canonicalized using an unsecured registry), and GSS-API mechanisms (such as the Kerberos V mechanism
directory service such as the DNS without DNSSEC. Security issues [RFC4121] [RFC1964]), may also apply.
are also discussed throughout this memo.
15. Acknowledgements 17. Acknowledgements
The history of GS2 can be traced to the GSSAPI mechanism described in The history of GS2 can be traced to the "GSSAPI" mechanism originally
RFC 2222. The GSSAPI mechanism had some drawbacks, which created a specified by RFC2222. This document was derived from
need for an improved version. This document was derived from
draft-ietf-sasl-gssapi-02 which was prepared by Alexey Melnikov with draft-ietf-sasl-gssapi-02 which was prepared by Alexey Melnikov with
significant contributions from John G. Myers, although the majority significant contributions from John G. Myers, although the majority
of this document has been rewritten by the current author. of this document has been rewritten by the current authors.
Contributions of many members of the SASL mailing list are gratefully Contributions of many members of the SASL mailing list are gratefully
acknowledged. In particular, ideas and feedback from Sam Hartman, acknowledged. In particular, ideas and feedback from Sam Hartman,
Jeffrey Hutzelman, Alexey Melnikov, Nicolas Williams, and Tom Yu Jeffrey Hutzelman, Alexey Melnikov, and Tom Yu improved the document
improved the document and the protocol. and the protocol.
16. References 18. References
16.1. Normative References 18.1. Normative References
[FIPS.180-1.1995]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[FIPS.180-1.1995]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[ITU.X690.1994]
International Telecommunications Union, "Information
Technology - ASN.1 encoding rules: Specification of Basic
Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", ITU-T Recommendation
X.690, 1994.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007. Channels", RFC 5056, November 2007.
16.2. Informative References [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[CCITT.X690.2002]
International International Telephone and Telegraph
Consultative Committee, "ASN.1 encoding rules:
Specification of basic encoding Rules (BER), Canonical
encoding rules (CER) and Distinguished encoding rules
(DER)", CCITT Recommendation X.690, July 2002.
18.2. Informative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June 1996. RFC 1964, June 1996.
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
(SPKM)", RFC 2025, October 1996.
[RFC2222] Myers, J., "Simple Authentication and Security Layer
(SASL)", RFC 2222, October 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121,
July 2005.
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
Simple and Protected Generic Security Service Application Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism", Program Interface (GSS-API) Negotiation Mechanism",
RFC 4178, October 2005. RFC 4178, October 2005.
[RFC4752] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple [RFC4752] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple
Authentication and Security Layer (SASL) Mechanism", Authentication and Security Layer (SASL) Mechanism",
RFC 4752, November 2006. RFC 4752, November 2006.
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(SPKM)", RFC 2025, October 1996. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[I-D.altman-tls-channel-bindings] [I-D.newman-auth-scram]
Altman, J. and N. Williams, "On the Use of Channel Menon-Sen, A., Melnikov, A., and C. Newman, "Salted
Bindings to Secure Channels", Challenge Response (SCRAM) SASL Mechanism",
draft-altman-tls-channel-bindings-01 (work in progress), draft-newman-auth-scram-10 (work in progress),
December 2006. February 2009.
[I-D.ietf-kitten-extended-mech-inquiry] [I-D.ietf-kitten-extended-mech-inquiry]
Williams, N., "Extended Generic Security Service Mechanism Williams, N., "Extended Generic Security Service Mechanism
Inquiry APIs", draft-ietf-kitten-extended-mech-inquiry-02 Inquiry APIs", draft-ietf-kitten-extended-mech-inquiry-04
(work in progress), June 2006. (work in progress), March 2008.
[mitm] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle [mitm] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
in Tunneled Authentication", in Tunneled Authentication",
WWW http://www.saunalahti.fi/~asokan/research/mitm.html. WWW http://www.saunalahti.fi/~asokan/research/mitm.html.
Author's Address Authors' Addresses
Simon Josefsson Simon Josefsson
SJD AB
Hagagatan 24
Stockholm 113 47
SE
Email: [email protected] Email: [email protected]
URI: http://josefsson.org/
Nicolas Williams
Sun Microsystems
5300 Riata Trace Ct
Austin, TX 78727
USA
Full Copyright Statement Email: [email protected]
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
[email protected].
 End of changes. 150 change blocks. 
795 lines changed or deleted 540 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/