| blob | 2058070007ea2cfbf0ee937bb216f54c91e751df |
4 NETWORK WORKING GROUP N. Williams
5 Internet-Draft Sun
6 Expires: April 17, 2006 October 14, 2005
9 GSS-API Naming Extensions
10 draft-ietf-kitten-gssapi-naming-exts-01.txt
12 Status of this Memo
14 By submitting this Internet-Draft, each author represents that any
15 applicable patent or other IPR claims of which he or she is aware
16 have been or will be disclosed, and any of which he or she becomes
17 aware will be disclosed, in accordance with Section 6 of BCP 79.
19 Internet-Drafts are working documents of the Internet Engineering
20 Task Force (IETF), its areas, and its working groups. Note that
21 other groups may also distribute working documents as Internet-
22 Drafts.
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference
27 material or to cite them other than as "work in progress."
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt.
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html.
35 This Internet-Draft will expire on April 17, 2006.
37 Copyright Notice
39 Copyright (C) The Internet Society (2005).
41 Abstract
43 The Generic Security Services API (GSS-API) provides a simple naming
44 architecture that supports name-based authorization. This document
45 introduces new APIs that extend the GSS-API naming and authorization
46 model.
55 Williams Expires April 17, 2006 [Page 1]
56 \f
57 Internet-Draft GSS-API Naming Extensions October 2005
60 Table of Contents
62 1. Conventions used in this document . . . . . . . . . . . . 3
63 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
64 3. Name Attribute Sources and Criticality . . . . . . . . . . 3
65 4. Name Attributes/Values as ACL Subjects . . . . . . . . . . 4
66 5. Mapping Mechanism Facilities to Name Attributes . . . . . 4
67 5.1. Kerberos V and SPKM Authorization-Data . . . . . . . . . . 4
68 5.2. Kerberos V Cross-Realm Transit Paths . . . . . . . . . . . 5
69 5.3. PKIX Certificate Extensions . . . . . . . . . . . . . . . 5
70 5.3.1. PKIX EKUs . . . . . . . . . . . . . . . . . . . . . . . . 6
71 5.3.2. PKIX Certificate Alternative Names . . . . . . . . . . . . 6
72 5.3.3. Other PKIX Certificate Extensions and Attributes . . . . . 6
73 5.4. PKIX Certificate CA Paths and Trust Anchors . . . . . . . 6
74 6. GSS_Inquire_name_attribute() . . . . . . . . . . . . . . . 6
75 6.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 7
76 7. GSS_Display_name_ext() . . . . . . . . . . . . . . . . . . 8
77 7.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 8
78 8. GSS_Inquire_name() . . . . . . . . . . . . . . . . . . . . 9
79 8.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 9
80 9. GSS_Get_name_attribute() . . . . . . . . . . . . . . . . . 10
81 9.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 11
82 10. GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . 11
83 10.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 12
84 11. GSS_Delete_name_attribute() . . . . . . . . . . . . . . . 12
85 11.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 13
86 12. GSS_Export_name_composite() . . . . . . . . . . . . . . . 13
87 12.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 14
88 13. GSS_Map_name_to_any() . . . . . . . . . . . . . . . . . . 14
89 13.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 15
90 14. GSS_Release_any_name_mapping() . . . . . . . . . . . . . . 15
91 14.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 16
92 15. IANA Considerations . . . . . . . . . . . . . . . . . . . 16
93 16. Security Considerations . . . . . . . . . . . . . . . . . 17
94 17. Normative References . . . . . . . . . . . . . . . . . . . 17
95 Author's Address . . . . . . . . . . . . . . . . . . . . . 18
96 Intellectual Property and Copyright Statements . . . . . . 19
111 Williams Expires April 17, 2006 [Page 2]
112 \f
113 Internet-Draft GSS-API Naming Extensions October 2005
116 1. Conventions used in this document
118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120 document are to be interpreted as described in [RFC2119].
123 2. Introduction
125 As described in [I-D.GSS-NAMING] the GSS-API's naming architecture
126 suffers from certain limitations. This document proposes concrete
127 GSS-API extensions as outlined in [I-D.GSS-NAMING].
129 A number of extensions to the GSS-API [RFC2743] and its C Bindings
130 [RFC2744] are described herein with the goal of making authorization
131 information, and other information that can be modelled as "name
132 attributes" available as such to applications. For example, Kerberos
133 V authorization data elements, both, in their raw forms as well as
134 mapped to more useful value types, can be made available to GSS-API
135 applications through these interfaces.
137 The model is that GSS names have attributes. The attributes of a
138 name may be authenticated by the credential whence the name comes, or
139 may have been set locally on a GSS name for the purpose of
140 "asserting" the attribute during credential acquisition or security
141 context exchange. Name attributes' values are network
142 representations thereof (e.g., the actual value octets of the
143 contents of an X.509 certificate extension, for example) and are
144 intended to be useful for constructing portable access control
145 facilities. Applications may often require language- or platform-
146 specific data types, rather than network representations of name
147 attributes, so a function is provided to obtain objects of such types
148 associated with names and name attributes.
151 3. Name Attribute Sources and Criticality
153 A given GSS name object's name attributes may be authenticated or
154 asserted by an associated credential, or it may be mapped or derived
155 from another attribute of the same name.
157 That a given name's given attribute is 'mapped' means that it was
158 obtained through some mapping mechanism applied to another attribute
159 of the name that was not, itself, mapped. For example, such
160 attributes as platform-specific internal identifiers may sometimes be
161 mapped from other name attributes.
163 Name attributes may be "critical," meaning that applications that do
167 Williams Expires April 17, 2006 [Page 3]
168 \f
169 Internet-Draft GSS-API Naming Extensions October 2005
172 not understand them MUST reject security contexts where the peer has
173 such unknown, critical attributes.
176 4. Name Attributes/Values as ACL Subjects
178 Some name attributes (e.g., numeric user or group identifiers) may be
179 useful as subjects of access control list (ACL) entries, some may not
180 (e.g., time of day login restrictions). The
181 GSS_Inquire_name_attribute() function indicates this.
183 To facilitate the development of portable applications that make use
184 of name attributes to construct and evaluate portable ACLs the GSS-
185 API makes name attribute values available in canonical network
186 encodings thereof.
188 To facilitate the development of platform- or language-specific
189 applications that need access to native types of representations of
190 name attributes an optional facility is provided,
191 GSS_Map_name_to_any().
194 5. Mapping Mechanism Facilities to Name Attributes
196 [NOTE: This entire section should probably be split into one or more
197 separate Internet-Drafts. It is here in the -00 of this I-D to help
198 readers understand how to mechanism-specific name attributes would be
199 accessed through these GSS-API extensions.]
201 Kerberos V [I-D.ietf-krb-wg-kerberos-clarifications] and the Simple
202 Public-Key GSS-API Mechanism, SPKM [RFC2025], both support the
203 concept and encoding of containers of "authorization-data" as
204 described in [I-D.ietf-krb-wg-kerberos-clarifications].
206 PKIX [RFC3280] supports a number of authorization-data-like features,
207 like Extended Key Usage values (EKUs) and certificate extensions.
209 The authorization data can be accessed through the GSS-API name
210 attributes facility defined herein.
212 5.1. Kerberos V and SPKM Authorization-Data
214 Authorization-data non-container elements asserted in Kerberos V AP-
215 REQ Authenticators MUST be mapped into *asserted* GSS-API name
216 attributes; if not contained in AD-IF-RELEVANT then they MUST be
217 mapped into *critical* GSS-API name attributes. AD-AND-OR
218 authorization-data elements MUST be mapped into a single *critical*
219 attribute, (TBD).
223 Williams Expires April 17, 2006 [Page 4]
224 \f
225 Internet-Draft GSS-API Naming Extensions October 2005
228 Authorization-data included in Kerberos V Tickets that is not
229 contained in AD-KDCIssued (with valid signature) MUST be mapped into
230 *asserted* GSS-API name attributes. Conversely, authorization-data
231 elements in Kerberos V Tickets contained by AD-KDCIssued MUST be
232 mapped into *authenticated* GSS-API name attributes
234 As with authorization-data elements in Authenticators, authorization-
235 data elements in Tickets not contained in AD-IF-RELEVANT are to be
236 mapped to *critical* name attributes, and similarly with AD-AND-OR
237 (see above).
239 The OIDs for authorization-data elements are to be the authorization-
240 data element's 'ad-type' integer ID, relative to the base OID <TBD>
241 [NOTE: what about negative ad-type's? OID arcs are positive
242 integers... ad-type is an Int32, so clearly something can be done.]
244 5.2. Kerberos V Cross-Realm Transit Paths
246 [Add text on how to represent/encode/interpret krb5 realm transit
247 paths as name attribute values. And text on PKINIT too... Basically
248 Ticket's 'transited' field should be exposed as an authenticated name
249 attribute, with some uncompressed encoding, possibly encompassing
250 certificate validation paths of client certs used for PKINIT, with
251 criticality determined by the presence of the transit-policy-checked
252 flag.]
254 5.3. PKIX Certificate Extensions
256 [NOTE: In the Kerberos V authorization-data case we can tell when AD
257 elements are "authenticated" and when the are asserted, but what
258 about x.509 certificate extensions? Clearly KU, EKUs and
259 subjectAltNames are authenticated in that no CA should sign a cert
260 with, say, arbitrary subjectAltNames not understood by the CA, but,
261 does that also apply to all other x.509 certificate extensions? The
262 answer may depend on actual CA operator practices... At worst a new
263 extension may be needed, like Kerberos V's AD-KDCIssued AD container
264 element; at best this text can just say "all cert extensions MUST be
265 mapped to authenticated..." below.]
267 PKI certificate extensions MAY/SHOULD/MUST (see comment above) be
268 mapped to *authenticated* GSS-API name attributes with the _same_
269 OIDs, and if they be marked critical in the certificate then they
270 MUST be mapped as *critical* GSS-API name attributes.
271 SubjectAltNames and EKUs, specifically, MUST be mapped to
272 *authenticated* GSS-API name attributes; see below. Certificate
273 extensions MUST be mapped to GSS-API name attributes whose OIDs are
274 the same as the extensions'
279 Williams Expires April 17, 2006 [Page 5]
280 \f
281 Internet-Draft GSS-API Naming Extensions October 2005
284 5.3.1. PKIX EKUs
286 Extended Key Usage extensions, specifically, MUST be mapped as
287 described above, except that GSS-API name attributes for EKUs MUST
288 have NULL values (i.e., zero-length OCTET STRINGs).
290 PKI certificate key usages (KUs, but not EKUs), MUST NOT be mapped to
291 GSS-API name attributes.
293 5.3.2. PKIX Certificate Alternative Names
295 PKI certificate subjectAltNames MUST be mapped as *authenticated*,
296 *non-critical* GSS-API name attributes.
298 PKI certificate extensions MUST be mapped to *authenticated* GSS-API
299 name attributes with the _same_ OIDs, and if they be marked critical
300 in the certificate then they MUST be mapped as *critical* GSS-API
301 name attributes.
303 Extended Key Usage extensions, specifically, MUST be mapped as
304 described above, except that GSS-API name attributes for EKUs MUST
305 have NULL values (i.e., zero-length OCTET STRINGs).
307 5.3.3. Other PKIX Certificate Extensions and Attributes
309 [Add text...]
311 5.4. PKIX Certificate CA Paths and Trust Anchors
313 [Add text on how to represent/encode/interpret PKI certificate
314 validation CA paths as name attribute values, much as with Kerberos V
315 transited paths.]
318 6. GSS_Inquire_name_attribute()
320 [NOTE: This function was somewhat controversial at IETF63; we should
321 decide whether to remove it at IETF64. The controversy was, as I
322 recall over whether reflection functionality might not be dangerous,
323 leading to construction of inappropriate ACLs through dumb UIs. For
324 now I am making some changes to it: adding a NAME object as an input
325 parameter and some output parameters.]
327 Inputs:
330 o name NAME
335 Williams Expires April 17, 2006 [Page 6]
336 \f
337 Internet-Draft GSS-API Naming Extensions October 2005
340 o attr OBJECT IDENTIFIER
342 Outputs:
345 o major_status INTEGER,
347 o minor_status INTEGER,
349 o attr_name OCTET STRING, -- display name of the attribute
351 o attr_description OCTET STRING, -- description of the attribute
353 o attr_values_ordered BOOLEAN, -- whether the attribute's values are
354 an ordered set
356 o attr_is_a_name BOOLEAN, -- whether the attribute's values can be
357 used as subjects of access control list entries
359 o attr_is_trust_indicator BOOLEAN -- whether the attribute's values
360 represent nodes in trust paths
362 Return major_status codes:
364 o GSS_S_COMPLETE indicates no error.
366 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
367 known (even if present as a name's attribute).
369 o GSS_S_FAILURE indicates a general error.
371 This function outputs a name for the given name attribute,
372 description for display to users, and indicates whether the
373 attribute's values are ordered sets, whether the given name
374 attribute's values are useful as the subject of an access control
375 list entry and/or whether the given name attribute's values are
376 useful as indicators of trust (for example, whether they name PKIX
377 trust anchors).
379 6.1. C-Bindings
381 OM_uint32 gss_inquire_name_attribute(
382 OM_uint32 *minor_status,
383 gss_name_t name,
384 gss_OID attr,
385 gss_buffer_t attr_name,
386 gss_buffer_t attr_description,
387 int attr_values_ordered,
391 Williams Expires April 17, 2006 [Page 7]
392 \f
393 Internet-Draft GSS-API Naming Extensions October 2005
396 int *attr_is_a_name,
397 int *attr_is_trust_indicator
398 );
401 7. GSS_Display_name_ext()
403 Inputs:
406 o name NAME,
408 o display_as_name_type OBJECT IDENTIFIER
410 Outputs:
413 o major_status INTEGER,
415 o minor_status INTEGER,
417 o display_name STRING
419 Return major_status codes:
421 o GSS_S_COMPLETE indicates no error.
423 o GSS_S_UNAVAILABLE indicates that the given name could not be
424 displayed using the syntax of the given name type.
426 o GSS_S_FAILURE indicates a general error.
428 This function displays a given name using the given name syntax, if
429 possible. This operation may require mapping MNs to generic name
430 syntaxes or generic name syntaxes to mechanism-specific name
431 syntaxes; such mappings may not always be feasible and MAY be inexact
432 or lossy.
434 7.1. C-Bindings
436 OM_uint32 GSS_Display_name_ext(
437 OM_uint32 *minor_status,
438 gss_name_t name,
439 gss_OID display_as_name_type,
440 gss_buffer_t display_name
441 );
447 Williams Expires April 17, 2006 [Page 8]
448 \f
449 Internet-Draft GSS-API Naming Extensions October 2005
452 8. GSS_Inquire_name()
454 Inputs:
457 o name NAME
459 Outputs:
462 o major_status INTEGER,
464 o minor_status INTEGER,
466 o name_is_MN BOOLEAN,
468 o mn_mech OBJECT IDENTIFIER,
470 o asserted_attrs SET OF OBJECT IDENTIFIER,
472 o authenticated_attrs SET OF OBJECT IDENTIFIER,
474 o critical_attrs SET OF OBJECT IDENTIFIER,
476 o all_attrs SET OF OBJECT IDENTIFIER,
478 o [NOTE: Perhaps this function should also output an indicator as to
479 the provenance of the name, of which, in the GSS-API, there are
480 three: imported, inquired from a credential, and a peer's name
481 inquired from a security context.]
483 Return major_status codes:
485 o GSS_S_COMPLETE indicates no error.
487 o GSS_S_FAILURE indicates a general error.
489 This function outputs the sets of attributes of a name, that are
490 authenticated, asserted or critical. It also indicates if a given
491 NAME is an MN or not and, if it is, what mechanism it's an MN of.
493 8.1. C-Bindings
495 OM_uint32 gss_inquire_name(
496 OM_uint32 *minor_status,
497 gss_name_t name,
498 int name_is_MN,
499 gss_OID *MN_mech,
503 Williams Expires April 17, 2006 [Page 9]
504 \f
505 Internet-Draft GSS-API Naming Extensions October 2005
508 gss_OID_set *authenticated,
509 gss_OID_set *asserted,
510 gss_OID_set *critical,
511 gss_OID_set *all_attrs
512 );
515 9. GSS_Get_name_attribute()
517 Inputs:
520 o name NAME,
522 o attr OBJECT IDENTIFIER
524 Outputs:
527 o major_status INTEGER,
529 o minor_status INTEGER,
531 o authenticated BOOLEAN, -- FALSE if asserted but not authenticated
532 by a trusted entity
534 o negative BOOLEAN,
536 o mapped BOOLEAN,
538 o critical BOOLEAN,
540 o values SET OF OCTET STRING,
542 o display_values SET OF STRING
544 Return major_status codes:
546 o GSS_S_COMPLETE indicates no error.
548 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
549 known or set.
551 o GSS_S_FAILURE indicates a general error.
553 This function outputs the value(s) associated with a given GSS name
554 object for a given name attribute.
559 Williams Expires April 17, 2006 [Page 10]
560 \f
561 Internet-Draft GSS-API Naming Extensions October 2005
564 NOTE: This function relies on the GSS-API notion of "SET OF" allowing
565 for order preservation; this has been discussed on the KITTEN WG
566 mailing list and the consensus seems to be that, indeed, that was
567 always the intention.
569 9.1. C-Bindings
571 The C-bindings of GSS_Get_name_attribute() requires one function call
572 per-attribute value, for multi-valued name attributes. This is done
573 by using a single gss_buffer_t for each value and an input/output
574 integer parameter to distinguish initial and subsequent calls and to
575 indicate when all values have been obtained.
577 The 'more' input/output parameter should point to an integer variable
578 whose value, on first call to gss_name_attribute_get() MUST be -1,
579 and whose value upon function call return will be non-zero to
580 indicate that additional values remain, or zero to indicate that no
581 values remain. The caller should not modify this parameter after the
582 initial call.
584 OM_uint32 gss_get_name_attribute(
585 OM_uint32 *minor_status,
586 gss_name_t name,
587 gss_OID attr,
588 int *authenticated,
589 int *negative,
590 int *mapped,
591 int *critical,
592 gss_buffer_t value,
593 gss_buffer_t display_value,
594 int *more
595 );
598 10. GSS_Set_name_attribute()
600 Inputs:
603 o name NAME,
605 o critical BOOLEAN,
607 o negative BOOLEAN,
609 o attr OBJECT IDENTIFIER,
611 o values SET OF OCTET STRING
615 Williams Expires April 17, 2006 [Page 11]
616 \f
617 Internet-Draft GSS-API Naming Extensions October 2005
620 Outputs:
623 o major_status INTEGER,
625 o minor_status INTEGER
627 Return major_status codes:
629 o GSS_S_COMPLETE indicates no error.
631 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
632 known or could not be set.
634 o GSS_S_FAILURE indicates a general error.
636 NOTE: This function relies on the GSS-API notion of "SET OF" allowing
637 for order preservation; this has been discussed on the KITTEN WG
638 mailing list and the consensus seems to be that, indeed, that was
639 always the intention.
641 10.1. C-Bindings
643 The C-bindings of GSS_Set_name_attribute() requires one function call
644 per-attribute value, for multi-valued name attributes -- each call
645 adds one value. To replace an attribute's every value delete the
646 attribute's values first with GSS_Delete_name_attribute().
648 OM_uint32 gss_set_name_attribute(
649 OM_uint32 *minor_status,
650 gss_name_t name,
651 int critical,
652 int negative,
653 gss_OID attr,
654 gss_buffer_t value
655 );
658 11. GSS_Delete_name_attribute()
660 Inputs:
663 o name NAME,
665 o attr OBJECT IDENTIFIER,
667 Outputs:
671 Williams Expires April 17, 2006 [Page 12]
672 \f
673 Internet-Draft GSS-API Naming Extensions October 2005
676 o major_status INTEGER,
678 o minor_status INTEGER
680 Return major_status codes:
682 o GSS_S_COMPLETE indicates no error.
684 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
685 known.
687 o GSS_S_FAILURE indicates a general error.
689 Deletion of negative authenticated attributes from NAME objects MUST
690 NOT be allowed. [Do we need a new major status code for "permission
691 denied"?]
693 11.1. C-Bindings
695 OM_uint32 gss_delete_name_attribute(
696 OM_uint32 *minor_status,
697 gss_name_t name,
698 gss_OID attr
699 );
702 12. GSS_Export_name_composite()
704 Inputs:
707 o name NAME
709 Outputs:
712 o major_status INTEGER,
714 o minor_status INTEGER,
716 o exp_composite_name OCTET STRING
718 Return major_status codes:
720 o GSS_S_COMPLETE indicates no error.
722 o GSS_S_FAILURE indicates a general error.
727 Williams Expires April 17, 2006 [Page 13]
728 \f
729 Internet-Draft GSS-API Naming Extensions October 2005
732 This function outputs a token which can be imported with
733 GSS_Import_name(), using GSS_C_NT_COMPOSITE_EXPORT as the name type
734 and which preserves any name attribute information associated with
735 the input name (which GSS_Export_name() may well not). The token
736 format is no specified here as this facility is intended for inter-
737 process communication only; however, all such tokens MUST start with
738 a two-octet token ID, hex 04 02, in network byte order.
740 The OID for GSS_C_NT_COMPOSITE_EXPORT is <TBD>.
742 12.1. C-Bindings
744 OM_uint32 gss_export_name_composite(
745 OM_uint32 *minor_status,
746 gss_name_t name,
747 gss_buffer_t exp_composite_name
748 );
751 13. GSS_Map_name_to_any()
753 Inputs:
756 o name NAME,
758 o authenticated BOOLEAN, -- if TRUE no data will be output unless it
759 is authenticated
761 o type_id OBJECT IDENTIFIER
763 Outputs:
766 o major_status INTEGER,
768 o minor_status INTEGER,
770 o output ANY DEFINED BY type_id
772 Return major_status codes:
774 o GSS_S_COMPLETE indicates no error.
776 o GSS_S_UNAVAILABLE indicates that the mapping or conversion could
777 not be done. The minor status code may provide additional
778 information.
783 Williams Expires April 17, 2006 [Page 14]
784 \f
785 Internet-Draft GSS-API Naming Extensions October 2005
788 o GSS_S_FAILURE indicates a general error. The minor status code
789 may provide additional information.
791 Whereas name attribute's values are encoded in some network
792 representation applications often require native, language- and/or
793 platform-specific data types. This function provides access to such
794 types.
796 13.1. C-Bindings
798 typedef struct gss_any *gss_any_t;
799 OM_uint32 gss_map_name_to_any(
800 OM_uint32 *minor_status,
801 gss_name_t name,
802 int authenticated,
803 gss_OID type_id,
804 gss_any_t output
805 );
807 Note the new C bindings type, gss_any_t. We define it as a pointer
808 to an incompletely declared struct.
811 14. GSS_Release_any_name_mapping()
813 Inputs:
816 o name NAME,
818 o type_id OBJECT IDENTIFIER,
820 o input ANY DEFINED BY type_id
822 Outputs:
825 o major_status INTEGER,
827 o minor_status INTEGER,
829 Return major_status codes:
831 o GSS_S_COMPLETE indicates no error.
833 o GSS_S_UNAVAILABLE indicates that the mapping or conversion could
834 not be done. The minor status code may provide additional
835 information.
839 Williams Expires April 17, 2006 [Page 15]
840 \f
841 Internet-Draft GSS-API Naming Extensions October 2005
844 o GSS_S_FAILURE indicates a general error. The minor status code
845 may provide additional information.
847 This function releases, if possible, the objects of language- and/or
848 platform-specific types output by GSS_Map_name_to_any(). If such
849 types have native release functions applications MAY use either those
850 or this function to release the given object.
852 14.1. C-Bindings
854 typedef struct gss_any *gss_any_t;
855 OM_uint32 gss_release_any_name_mapping(
856 OM_uint32 *minor_status,
857 gss_name_t name,
858 gss_OID type_id,
859 gss_any_t *input
860 );
863 15. IANA Considerations
865 This document creates a namespace of GSS-API name attributes.
866 Attributes are named by OID, so no single authority might be needed
867 for allocation, however, in the interest of providing the community
868 with an authority for name attribute OID allocation and a way to find
869 the existing set of name attributes, the IANA should establish both,
870 a single OID off of which name attributes could be allocated, and a
871 registry of known GSS name attributes.
873 GSS-API name attribute registry entries should contain all the
874 information that GSS_Inquire_name_attribute() may return about the
875 given name attributes and their OIDs:
877 o a name attribute OID (this is a unique key)
879 o a name attribute symbolic name, starting with "GSS_C_NA_" (this is
880 a unique key)
882 o a brief description, in English
884 o whether the attribute is useful as the subject of access control
885 list entries
887 o whether the attribute is useful as an indicator of trust
889 o an optional normative reference to documentation for the given
890 name attribute
895 Williams Expires April 17, 2006 [Page 16]
896 \f
897 Internet-Draft GSS-API Naming Extensions October 2005
900 The allocation and registration policy should be first come, first
901 served. Registry entries' OIDs need not be based on the base OID
902 given above.
905 16. Security Considerations
907 <TBA>
909 [In particular, the status of a name attribute as "authenticated" vs.
910 "asserted" requires close review, particularly with respect to PKIX
911 certificate extensions.]
913 [Also, we need to work out the security considerations of (and
914 possibly remove) negative attributes.]
916 17. Normative References
918 [I-D.GSS-NAMING]
919 Hartman, S., "Desired Enhancements to GSSAPI Naming",
920 draft-ietf-kitten-gss-naming-01.txt (work in progress),
921 February 2005.
923 [I-D.ietf-krb-wg-kerberos-clarifications]
924 Neuman, C., "The Kerberos Network Authentication Service
925 (V5)", draft-ietf-krb-wg-kerberos-clarifications-07 (work
926 in progress), September 2004.
928 [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
929 (SPKM)", RFC 2025, October 1996.
931 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
932 Requirement Levels", BCP 14, RFC 2119, March 1997.
934 [RFC2743] Linn, J., "Generic Security Service Application Program
935 Interface Version 2, Update 1", RFC 2743, January 2000.
937 [RFC2744] Wray, J., "Generic Security Service API Version 2 :
938 C-bindings", RFC 2744, January 2000.
940 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
941 X.509 Public Key Infrastructure Certificate and
942 Certificate Revocation List (CRL) Profile", RFC 3280,
943 April 2002.
951 Williams Expires April 17, 2006 [Page 17]
952 \f
953 Internet-Draft GSS-API Naming Extensions October 2005
956 Author's Address
958 Nicolas Williams
959 Sun Microsystems
960 5300 Riata Trace Ct
961 Austin, TX 78727
962 US
964 Email: Nicolas.Williams@sun.com
1007 Williams Expires April 17, 2006 [Page 18]
1008 \f
1009 Internet-Draft GSS-API Naming Extensions October 2005
1012 Intellectual Property Statement
1014 The IETF takes no position regarding the validity or scope of any
1015 Intellectual Property Rights or other rights that might be claimed to
1016 pertain to the implementation or use of the technology described in
1017 this document or the extent to which any license under such rights
1018 might or might not be available; nor does it represent that it has
1019 made any independent effort to identify any such rights. Information
1020 on the procedures with respect to rights in RFC documents can be
1021 found in BCP 78 and BCP 79.
1023 Copies of IPR disclosures made to the IETF Secretariat and any
1024 assurances of licenses to be made available, or the result of an
1025 attempt made to obtain a general license or permission for the use of
1026 such proprietary rights by implementers or users of this
1027 specification can be obtained from the IETF on-line IPR repository at
1028 http://www.ietf.org/ipr.
1030 The IETF invites any interested party to bring to its attention any
1031 copyrights, patents or patent applications, or other proprietary
1032 rights that may cover technology that may be required to implement
1033 this standard. Please address the information to the IETF at
1034 ietf-ipr@ietf.org.
1037 Disclaimer of Validity
1039 This document and the information contained herein are provided on an
1040 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1041 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1042 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1043 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1044 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1045 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1048 Copyright Statement
1050 Copyright (C) The Internet Society (2005). This document is subject
1051 to the rights, licenses and restrictions contained in BCP 78, and
1052 except as set forth therein, the authors retain all their rights.
1055 Acknowledgment
1057 Funding for the RFC Editor function is currently provided by the
1058 Internet Society.
1063 Williams Expires April 17, 2006 [Page 19]
1064 \f