4 NETWORK WORKING GROUP N. Williams
6 Expires: April 17, 2006 October 14, 2005
9 GSS-API Naming Extensions
10 draft-ietf-kitten-gssapi-naming-exts-01.txt
14 By submitting this Internet-Draft, each author represents that any
15 applicable patent or other IPR claims of which he or she is aware
16 have been or will be disclosed, and any of which he or she becomes
17 aware will be disclosed, in accordance with Section 6 of BCP 79.
19 Internet-Drafts are working documents of the Internet Engineering
20 Task Force (IETF), its areas, and its working groups. Note that
21 other groups may also distribute working documents as Internet-
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference
27 material or to cite them other than as "work in progress."
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt.
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html.
35 This Internet-Draft will expire on April 17, 2006.
39 Copyright (C) The Internet Society (2005).
43 The Generic Security Services API (GSS-API) provides a simple naming
44 architecture that supports name-based authorization. This document
45 introduces new APIs that extend the GSS-API naming and authorization
55 Williams Expires April 17, 2006 [Page 1]
57 Internet-Draft GSS-API Naming Extensions October 2005
62 1. Conventions used in this document . . . . . . . . . . . . 3
63 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
64 3. Name Attribute Sources and Criticality . . . . . . . . . . 3
65 4. Name Attributes/Values as ACL Subjects . . . . . . . . . . 4
66 5. Mapping Mechanism Facilities to Name Attributes . . . . . 4
67 5.1. Kerberos V and SPKM Authorization-Data . . . . . . . . . . 4
68 5.2. Kerberos V Cross-Realm Transit Paths . . . . . . . . . . . 5
69 5.3. PKIX Certificate Extensions . . . . . . . . . . . . . . . 5
70 5.3.1. PKIX EKUs . . . . . . . . . . . . . . . . . . . . . . . . 6
71 5.3.2. PKIX Certificate Alternative Names . . . . . . . . . . . . 6
72 5.3.3. Other PKIX Certificate Extensions and Attributes . . . . . 6
73 5.4. PKIX Certificate CA Paths and Trust Anchors . . . . . . . 6
74 6. GSS_Inquire_name_attribute() . . . . . . . . . . . . . . . 6
75 6.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 7
76 7. GSS_Display_name_ext() . . . . . . . . . . . . . . . . . . 8
77 7.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 8
78 8. GSS_Inquire_name() . . . . . . . . . . . . . . . . . . . . 9
79 8.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 9
80 9. GSS_Get_name_attribute() . . . . . . . . . . . . . . . . . 10
81 9.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 11
82 10. GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . 11
83 10.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 12
84 11. GSS_Delete_name_attribute() . . . . . . . . . . . . . . . 12
85 11.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 13
86 12. GSS_Export_name_composite() . . . . . . . . . . . . . . . 13
87 12.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 14
88 13. GSS_Map_name_to_any() . . . . . . . . . . . . . . . . . . 14
89 13.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 15
90 14. GSS_Release_any_name_mapping() . . . . . . . . . . . . . . 15
91 14.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 16
92 15. IANA Considerations . . . . . . . . . . . . . . . . . . . 16
93 16. Security Considerations . . . . . . . . . . . . . . . . . 17
94 17. Normative References . . . . . . . . . . . . . . . . . . . 17
95 Author's Address . . . . . . . . . . . . . . . . . . . . . 18
96 Intellectual Property and Copyright Statements . . . . . . 19
111 Williams Expires April 17, 2006 [Page 2]
113 Internet-Draft GSS-API Naming Extensions October 2005
116 1. Conventions used in this document
118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120 document are to be interpreted as described in [RFC2119].
125 As described in [I-D.GSS-NAMING] the GSS-API's naming architecture
126 suffers from certain limitations. This document proposes concrete
127 GSS-API extensions as outlined in [I-D.GSS-NAMING].
129 A number of extensions to the GSS-API [RFC2743] and its C Bindings
130 [RFC2744] are described herein with the goal of making authorization
131 information, and other information that can be modelled as "name
132 attributes" available as such to applications. For example, Kerberos
133 V authorization data elements, both, in their raw forms as well as
134 mapped to more useful value types, can be made available to GSS-API
135 applications through these interfaces.
137 The model is that GSS names have attributes. The attributes of a
138 name may be authenticated by the credential whence the name comes, or
139 may have been set locally on a GSS name for the purpose of
140 "asserting" the attribute during credential acquisition or security
141 context exchange. Name attributes' values are network
142 representations thereof (e.g., the actual value octets of the
143 contents of an X.509 certificate extension, for example) and are
144 intended to be useful for constructing portable access control
145 facilities. Applications may often require language- or platform-
146 specific data types, rather than network representations of name
147 attributes, so a function is provided to obtain objects of such types
148 associated with names and name attributes.
151 3. Name Attribute Sources and Criticality
153 A given GSS name object's name attributes may be authenticated or
154 asserted by an associated credential, or it may be mapped or derived
155 from another attribute of the same name.
157 That a given name's given attribute is 'mapped' means that it was
158 obtained through some mapping mechanism applied to another attribute
159 of the name that was not, itself, mapped. For example, such
160 attributes as platform-specific internal identifiers may sometimes be
161 mapped from other name attributes.
163 Name attributes may be "critical," meaning that applications that do
167 Williams Expires April 17, 2006 [Page 3]
169 Internet-Draft GSS-API Naming Extensions October 2005
172 not understand them MUST reject security contexts where the peer has
173 such unknown, critical attributes.
176 4. Name Attributes/Values as ACL Subjects
178 Some name attributes (e.g., numeric user or group identifiers) may be
179 useful as subjects of access control list (ACL) entries, some may not
180 (e.g., time of day login restrictions). The
181 GSS_Inquire_name_attribute() function indicates this.
183 To facilitate the development of portable applications that make use
184 of name attributes to construct and evaluate portable ACLs the GSS-
185 API makes name attribute values available in canonical network
188 To facilitate the development of platform- or language-specific
189 applications that need access to native types of representations of
190 name attributes an optional facility is provided,
191 GSS_Map_name_to_any().
194 5. Mapping Mechanism Facilities to Name Attributes
196 [NOTE: This entire section should probably be split into one or more
197 separate Internet-Drafts. It is here in the -00 of this I-D to help
198 readers understand how to mechanism-specific name attributes would be
199 accessed through these GSS-API extensions.]
201 Kerberos V [I-D.ietf-krb-wg-kerberos-clarifications] and the Simple
202 Public-Key GSS-API Mechanism, SPKM [RFC2025], both support the
203 concept and encoding of containers of "authorization-data" as
204 described in [I-D.ietf-krb-wg-kerberos-clarifications].
206 PKIX [RFC3280] supports a number of authorization-data-like features,
207 like Extended Key Usage values (EKUs) and certificate extensions.
209 The authorization data can be accessed through the GSS-API name
210 attributes facility defined herein.
212 5.1. Kerberos V and SPKM Authorization-Data
214 Authorization-data non-container elements asserted in Kerberos V AP-
215 REQ Authenticators MUST be mapped into *asserted* GSS-API name
216 attributes; if not contained in AD-IF-RELEVANT then they MUST be
217 mapped into *critical* GSS-API name attributes. AD-AND-OR
218 authorization-data elements MUST be mapped into a single *critical*
223 Williams Expires April 17, 2006 [Page 4]
225 Internet-Draft GSS-API Naming Extensions October 2005
228 Authorization-data included in Kerberos V Tickets that is not
229 contained in AD-KDCIssued (with valid signature) MUST be mapped into
230 *asserted* GSS-API name attributes. Conversely, authorization-data
231 elements in Kerberos V Tickets contained by AD-KDCIssued MUST be
232 mapped into *authenticated* GSS-API name attributes
234 As with authorization-data elements in Authenticators, authorization-
235 data elements in Tickets not contained in AD-IF-RELEVANT are to be
236 mapped to *critical* name attributes, and similarly with AD-AND-OR
239 The OIDs for authorization-data elements are to be the authorization-
240 data element's 'ad-type' integer ID, relative to the base OID <TBD>
241 [NOTE: what about negative ad-type's? OID arcs are positive
242 integers... ad-type is an Int32, so clearly something can be done.]
244 5.2. Kerberos V Cross-Realm Transit Paths
246 [Add text on how to represent/encode/interpret krb5 realm transit
247 paths as name attribute values. And text on PKINIT too... Basically
248 Ticket's 'transited' field should be exposed as an authenticated name
249 attribute, with some uncompressed encoding, possibly encompassing
250 certificate validation paths of client certs used for PKINIT, with
251 criticality determined by the presence of the transit-policy-checked
254 5.3. PKIX Certificate Extensions
256 [NOTE: In the Kerberos V authorization-data case we can tell when AD
257 elements are "authenticated" and when the are asserted, but what
258 about x.509 certificate extensions? Clearly KU, EKUs and
259 subjectAltNames are authenticated in that no CA should sign a cert
260 with, say, arbitrary subjectAltNames not understood by the CA, but,
261 does that also apply to all other x.509 certificate extensions? The
262 answer may depend on actual CA operator practices... At worst a new
263 extension may be needed, like Kerberos V's AD-KDCIssued AD container
264 element; at best this text can just say "all cert extensions MUST be
265 mapped to authenticated..." below.]
267 PKI certificate extensions MAY/SHOULD/MUST (see comment above) be
268 mapped to *authenticated* GSS-API name attributes with the _same_
269 OIDs, and if they be marked critical in the certificate then they
270 MUST be mapped as *critical* GSS-API name attributes.
271 SubjectAltNames and EKUs, specifically, MUST be mapped to
272 *authenticated* GSS-API name attributes; see below. Certificate
273 extensions MUST be mapped to GSS-API name attributes whose OIDs are
274 the same as the extensions'
279 Williams Expires April 17, 2006 [Page 5]
281 Internet-Draft GSS-API Naming Extensions October 2005
286 Extended Key Usage extensions, specifically, MUST be mapped as
287 described above, except that GSS-API name attributes for EKUs MUST
288 have NULL values (i.e., zero-length OCTET STRINGs).
290 PKI certificate key usages (KUs, but not EKUs), MUST NOT be mapped to
291 GSS-API name attributes.
293 5.3.2. PKIX Certificate Alternative Names
295 PKI certificate subjectAltNames MUST be mapped as *authenticated*,
296 *non-critical* GSS-API name attributes.
298 PKI certificate extensions MUST be mapped to *authenticated* GSS-API
299 name attributes with the _same_ OIDs, and if they be marked critical
300 in the certificate then they MUST be mapped as *critical* GSS-API
303 Extended Key Usage extensions, specifically, MUST be mapped as
304 described above, except that GSS-API name attributes for EKUs MUST
305 have NULL values (i.e., zero-length OCTET STRINGs).
307 5.3.3. Other PKIX Certificate Extensions and Attributes
311 5.4. PKIX Certificate CA Paths and Trust Anchors
313 [Add text on how to represent/encode/interpret PKI certificate
314 validation CA paths as name attribute values, much as with Kerberos V
318 6. GSS_Inquire_name_attribute()
320 [NOTE: This function was somewhat controversial at IETF63; we should
321 decide whether to remove it at IETF64. The controversy was, as I
322 recall over whether reflection functionality might not be dangerous,
323 leading to construction of inappropriate ACLs through dumb UIs. For
324 now I am making some changes to it: adding a NAME object as an input
325 parameter and some output parameters.]
335 Williams Expires April 17, 2006 [Page 6]
337 Internet-Draft GSS-API Naming Extensions October 2005
340 o attr OBJECT IDENTIFIER
345 o major_status INTEGER,
347 o minor_status INTEGER,
349 o attr_name OCTET STRING, -- display name of the attribute
351 o attr_description OCTET STRING, -- description of the attribute
353 o attr_values_ordered BOOLEAN, -- whether the attribute's values are
356 o attr_is_a_name BOOLEAN, -- whether the attribute's values can be
357 used as subjects of access control list entries
359 o attr_is_trust_indicator BOOLEAN -- whether the attribute's values
360 represent nodes in trust paths
362 Return major_status codes:
364 o GSS_S_COMPLETE indicates no error.
366 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
367 known (even if present as a name's attribute).
369 o GSS_S_FAILURE indicates a general error.
371 This function outputs a name for the given name attribute,
372 description for display to users, and indicates whether the
373 attribute's values are ordered sets, whether the given name
374 attribute's values are useful as the subject of an access control
375 list entry and/or whether the given name attribute's values are
376 useful as indicators of trust (for example, whether they name PKIX
381 OM_uint32 gss_inquire_name_attribute(
382 OM_uint32 *minor_status,
385 gss_buffer_t attr_name,
386 gss_buffer_t attr_description,
387 int attr_values_ordered,
391 Williams Expires April 17, 2006 [Page 7]
393 Internet-Draft GSS-API Naming Extensions October 2005
397 int *attr_is_trust_indicator
401 7. GSS_Display_name_ext()
408 o display_as_name_type OBJECT IDENTIFIER
413 o major_status INTEGER,
415 o minor_status INTEGER,
417 o display_name STRING
419 Return major_status codes:
421 o GSS_S_COMPLETE indicates no error.
423 o GSS_S_UNAVAILABLE indicates that the given name could not be
424 displayed using the syntax of the given name type.
426 o GSS_S_FAILURE indicates a general error.
428 This function displays a given name using the given name syntax, if
429 possible. This operation may require mapping MNs to generic name
430 syntaxes or generic name syntaxes to mechanism-specific name
431 syntaxes; such mappings may not always be feasible and MAY be inexact
436 OM_uint32 GSS_Display_name_ext(
437 OM_uint32 *minor_status,
439 gss_OID display_as_name_type,
440 gss_buffer_t display_name
447 Williams Expires April 17, 2006 [Page 8]
449 Internet-Draft GSS-API Naming Extensions October 2005
452 8. GSS_Inquire_name()
462 o major_status INTEGER,
464 o minor_status INTEGER,
466 o name_is_MN BOOLEAN,
468 o mn_mech OBJECT IDENTIFIER,
470 o asserted_attrs SET OF OBJECT IDENTIFIER,
472 o authenticated_attrs SET OF OBJECT IDENTIFIER,
474 o critical_attrs SET OF OBJECT IDENTIFIER,
476 o all_attrs SET OF OBJECT IDENTIFIER,
478 o [NOTE: Perhaps this function should also output an indicator as to
479 the provenance of the name, of which, in the GSS-API, there are
480 three: imported, inquired from a credential, and a peer's name
481 inquired from a security context.]
483 Return major_status codes:
485 o GSS_S_COMPLETE indicates no error.
487 o GSS_S_FAILURE indicates a general error.
489 This function outputs the sets of attributes of a name, that are
490 authenticated, asserted or critical. It also indicates if a given
491 NAME is an MN or not and, if it is, what mechanism it's an MN of.
495 OM_uint32 gss_inquire_name(
496 OM_uint32 *minor_status,
503 Williams Expires April 17, 2006 [Page 9]
505 Internet-Draft GSS-API Naming Extensions October 2005
508 gss_OID_set *authenticated,
509 gss_OID_set *asserted,
510 gss_OID_set *critical,
511 gss_OID_set *all_attrs
515 9. GSS_Get_name_attribute()
522 o attr OBJECT IDENTIFIER
527 o major_status INTEGER,
529 o minor_status INTEGER,
531 o authenticated BOOLEAN, -- FALSE if asserted but not authenticated
540 o values SET OF OCTET STRING,
542 o display_values SET OF STRING
544 Return major_status codes:
546 o GSS_S_COMPLETE indicates no error.
548 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
551 o GSS_S_FAILURE indicates a general error.
553 This function outputs the value(s) associated with a given GSS name
554 object for a given name attribute.
559 Williams Expires April 17, 2006 [Page 10]
561 Internet-Draft GSS-API Naming Extensions October 2005
564 NOTE: This function relies on the GSS-API notion of "SET OF" allowing
565 for order preservation; this has been discussed on the KITTEN WG
566 mailing list and the consensus seems to be that, indeed, that was
567 always the intention.
571 The C-bindings of GSS_Get_name_attribute() requires one function call
572 per-attribute value, for multi-valued name attributes. This is done
573 by using a single gss_buffer_t for each value and an input/output
574 integer parameter to distinguish initial and subsequent calls and to
575 indicate when all values have been obtained.
577 The 'more' input/output parameter should point to an integer variable
578 whose value, on first call to gss_name_attribute_get() MUST be -1,
579 and whose value upon function call return will be non-zero to
580 indicate that additional values remain, or zero to indicate that no
581 values remain. The caller should not modify this parameter after the
584 OM_uint32 gss_get_name_attribute(
585 OM_uint32 *minor_status,
593 gss_buffer_t display_value,
598 10. GSS_Set_name_attribute()
609 o attr OBJECT IDENTIFIER,
611 o values SET OF OCTET STRING
615 Williams Expires April 17, 2006 [Page 11]
617 Internet-Draft GSS-API Naming Extensions October 2005
623 o major_status INTEGER,
625 o minor_status INTEGER
627 Return major_status codes:
629 o GSS_S_COMPLETE indicates no error.
631 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
632 known or could not be set.
634 o GSS_S_FAILURE indicates a general error.
636 NOTE: This function relies on the GSS-API notion of "SET OF" allowing
637 for order preservation; this has been discussed on the KITTEN WG
638 mailing list and the consensus seems to be that, indeed, that was
639 always the intention.
643 The C-bindings of GSS_Set_name_attribute() requires one function call
644 per-attribute value, for multi-valued name attributes -- each call
645 adds one value. To replace an attribute's every value delete the
646 attribute's values first with GSS_Delete_name_attribute().
648 OM_uint32 gss_set_name_attribute(
649 OM_uint32 *minor_status,
658 11. GSS_Delete_name_attribute()
665 o attr OBJECT IDENTIFIER,
671 Williams Expires April 17, 2006 [Page 12]
673 Internet-Draft GSS-API Naming Extensions October 2005
676 o major_status INTEGER,
678 o minor_status INTEGER
680 Return major_status codes:
682 o GSS_S_COMPLETE indicates no error.
684 o GSS_S_UNAVAILABLE indicates that the given attribute OID is not
687 o GSS_S_FAILURE indicates a general error.
689 Deletion of negative authenticated attributes from NAME objects MUST
690 NOT be allowed. [Do we need a new major status code for "permission
695 OM_uint32 gss_delete_name_attribute(
696 OM_uint32 *minor_status,
702 12. GSS_Export_name_composite()
712 o major_status INTEGER,
714 o minor_status INTEGER,
716 o exp_composite_name OCTET STRING
718 Return major_status codes:
720 o GSS_S_COMPLETE indicates no error.
722 o GSS_S_FAILURE indicates a general error.
727 Williams Expires April 17, 2006 [Page 13]
729 Internet-Draft GSS-API Naming Extensions October 2005
732 This function outputs a token which can be imported with
733 GSS_Import_name(), using GSS_C_NT_COMPOSITE_EXPORT as the name type
734 and which preserves any name attribute information associated with
735 the input name (which GSS_Export_name() may well not). The token
736 format is no specified here as this facility is intended for inter-
737 process communication only; however, all such tokens MUST start with
738 a two-octet token ID, hex 04 02, in network byte order.
740 The OID for GSS_C_NT_COMPOSITE_EXPORT is <TBD>.
744 OM_uint32 gss_export_name_composite(
745 OM_uint32 *minor_status,
747 gss_buffer_t exp_composite_name
751 13. GSS_Map_name_to_any()
758 o authenticated BOOLEAN, -- if TRUE no data will be output unless it
761 o type_id OBJECT IDENTIFIER
766 o major_status INTEGER,
768 o minor_status INTEGER,
770 o output ANY DEFINED BY type_id
772 Return major_status codes:
774 o GSS_S_COMPLETE indicates no error.
776 o GSS_S_UNAVAILABLE indicates that the mapping or conversion could
777 not be done. The minor status code may provide additional
783 Williams Expires April 17, 2006 [Page 14]
785 Internet-Draft GSS-API Naming Extensions October 2005
788 o GSS_S_FAILURE indicates a general error. The minor status code
789 may provide additional information.
791 Whereas name attribute's values are encoded in some network
792 representation applications often require native, language- and/or
793 platform-specific data types. This function provides access to such
798 typedef struct gss_any *gss_any_t;
799 OM_uint32 gss_map_name_to_any(
800 OM_uint32 *minor_status,
807 Note the new C bindings type, gss_any_t. We define it as a pointer
808 to an incompletely declared struct.
811 14. GSS_Release_any_name_mapping()
818 o type_id OBJECT IDENTIFIER,
820 o input ANY DEFINED BY type_id
825 o major_status INTEGER,
827 o minor_status INTEGER,
829 Return major_status codes:
831 o GSS_S_COMPLETE indicates no error.
833 o GSS_S_UNAVAILABLE indicates that the mapping or conversion could
834 not be done. The minor status code may provide additional
839 Williams Expires April 17, 2006 [Page 15]
841 Internet-Draft GSS-API Naming Extensions October 2005
844 o GSS_S_FAILURE indicates a general error. The minor status code
845 may provide additional information.
847 This function releases, if possible, the objects of language- and/or
848 platform-specific types output by GSS_Map_name_to_any(). If such
849 types have native release functions applications MAY use either those
850 or this function to release the given object.
854 typedef struct gss_any *gss_any_t;
855 OM_uint32 gss_release_any_name_mapping(
856 OM_uint32 *minor_status,
863 15. IANA Considerations
865 This document creates a namespace of GSS-API name attributes.
866 Attributes are named by OID, so no single authority might be needed
867 for allocation, however, in the interest of providing the community
868 with an authority for name attribute OID allocation and a way to find
869 the existing set of name attributes, the IANA should establish both,
870 a single OID off of which name attributes could be allocated, and a
871 registry of known GSS name attributes.
873 GSS-API name attribute registry entries should contain all the
874 information that GSS_Inquire_name_attribute() may return about the
875 given name attributes and their OIDs:
877 o a name attribute OID (this is a unique key)
879 o a name attribute symbolic name, starting with "GSS_C_NA_" (this is
882 o a brief description, in English
884 o whether the attribute is useful as the subject of access control
887 o whether the attribute is useful as an indicator of trust
889 o an optional normative reference to documentation for the given
895 Williams Expires April 17, 2006 [Page 16]
897 Internet-Draft GSS-API Naming Extensions October 2005
900 The allocation and registration policy should be first come, first
901 served. Registry entries' OIDs need not be based on the base OID
905 16. Security Considerations
909 [In particular, the status of a name attribute as "authenticated" vs.
910 "asserted" requires close review, particularly with respect to PKIX
911 certificate extensions.]
913 [Also, we need to work out the security considerations of (and
914 possibly remove) negative attributes.]
916 17. Normative References
919 Hartman, S., "Desired Enhancements to GSSAPI Naming",
920 draft-ietf-kitten-gss-naming-01.txt (work in progress),
923 [I-D.ietf-krb-wg-kerberos-clarifications]
924 Neuman, C., "The Kerberos Network Authentication Service
925 (V5)", draft-ietf-krb-wg-kerberos-clarifications-07 (work
926 in progress), September 2004.
928 [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
929 (SPKM)", RFC 2025, October 1996.
931 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
932 Requirement Levels", BCP 14, RFC 2119, March 1997.
934 [RFC2743] Linn, J., "Generic Security Service Application Program
935 Interface Version 2, Update 1", RFC 2743, January 2000.
937 [RFC2744] Wray, J., "Generic Security Service API Version 2 :
938 C-bindings", RFC 2744, January 2000.
940 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
941 X.509 Public Key Infrastructure Certificate and
942 Certificate Revocation List (CRL) Profile", RFC 3280,
951 Williams Expires April 17, 2006 [Page 17]
953 Internet-Draft GSS-API Naming Extensions October 2005
964 Email: Nicolas.Williams@sun.com
1007 Williams Expires April 17, 2006 [Page 18]
1009 Internet-Draft GSS-API Naming Extensions October 2005
1012 Intellectual Property Statement
1014 The IETF takes no position regarding the validity or scope of any
1015 Intellectual Property Rights or other rights that might be claimed to
1016 pertain to the implementation or use of the technology described in
1017 this document or the extent to which any license under such rights
1018 might or might not be available; nor does it represent that it has
1019 made any independent effort to identify any such rights. Information
1020 on the procedures with respect to rights in RFC documents can be
1021 found in BCP 78 and BCP 79.
1023 Copies of IPR disclosures made to the IETF Secretariat and any
1024 assurances of licenses to be made available, or the result of an
1025 attempt made to obtain a general license or permission for the use of
1026 such proprietary rights by implementers or users of this
1027 specification can be obtained from the IETF on-line IPR repository at
1028 http://www.ietf.org/ipr.
1030 The IETF invites any interested party to bring to its attention any
1031 copyrights, patents or patent applications, or other proprietary
1032 rights that may cover technology that may be required to implement
1033 this standard. Please address the information to the IETF at
1037 Disclaimer of Validity
1039 This document and the information contained herein are provided on an
1040 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1041 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1042 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1043 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1044 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1045 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1050 Copyright (C) The Internet Society (2005). This document is subject
1051 to the rights, licenses and restrictions contained in BCP 78, and
1052 except as set forth therein, the authors retain all their rights.
1057 Funding for the RFC Editor function is currently provided by the
1063 Williams Expires April 17, 2006 [Page 19]