One document matched: draft-williams-kitten-krb5-pkcross-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc tocindent="no"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc tocindent="no"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc1035 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
<!ENTITY rfc1123 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1123.xml">
<!ENTITY rfc2743 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2743.xml">
<!ENTITY rfc2744 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2744.xml">
<!ENTITY rfc5890 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml">
<!ENTITY rfc6680 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6680.xml">
<!ENTITY rfc4121 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4121.xml">
]>
<rfc docName="draft-williams-kitten-generic-naming-attributes-00" ipr="trust200902" category="std" updates="2743, 2744">
<front>
<title abbrev="Simple GSS">Generic Naming Attributes for the Generic Security Services Application Programming Interface (GSS-API)</title>
<author initials="N." surname="Williams" fullname="Nicolas Williams">
<organization abbrev="Cryptonector">Cryptonector, LLC</organization>
<address>
<email>nico@cryptonector.com</email>
</address>
</author>
<date month="July" year="2013"/>
<area>
Security Area
</area>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
This document specifies several useful generic naming attributes for use with the Generic Security Services Application Programming Interface (GSS-API) Naming Extensions specified in RFC6680.</t>
<t>
These attributes allow applications to extract discrete components of a GSS-API “mechanism name” (MN) object: issuer (e.g., realm name, domain name, certification authority name), service and host names (for host-based service names), user names, and others.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="d1e285">
<t>
In RFC6680 <xref target="RFC6680"/> we introduced an interface by which to access “attributes” of names. This document specifies some such attributes.</t>
<section title="Conventions used in this document" anchor="d1e300">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119"/>.</t>
</section>
</section>
<section title="Generic Attributes" anchor="d1e316">
<t>
We add a number of generic attributes. Some of these attributes can be used as prefixes of other attributes.</t>
<section title="Concrete Attributes" anchor="d1e325">
<t>
These attributes generally have a single value. Only one of these attributes can also be used a prefix: the issuer name attribute.</t>
<section title="Issuer Name" anchor="d1e334">
<t>
We add an attribute by which to obtain a name of an issuer of a mechanism name (MN) or of an attribute of an MN. The API name for this attribute is GSS_C_ATTR_GENERIC_ISSUERNAME, and it's actual attribute name is “urn:ietf:id:ietf-kitten-name-attrs-00-issuername”.</t>
<t>
The display form of issuer names is mechanism-specific.</t>
<t>
The [non-display] form of issuer names SHALL be the exported name token form of the issuer's name. Not all mechanisms will support issuer names as MNs, therefore implementations MAY output a null non-display value.</t>
<t>
For example, for the Kerberos mechanism <xref target="RFC4121"/> an issuer name would generally (but not always!) be a Kerberos realm name, probably display as just the realm name. (But note that there is not yet a Kerberos realm name as MN specification.)</t>
<t>
This attribute can be used as prefix of other attributes. When used as a prefix, this attribute indicates that the application wishes to know the name of the issuer of the prefixed attribute of the given MN.</t>
</section>
<section title="User Name" anchor="d1e361">
<t>
We add an attribute by which to obtain the component of an MN naming a user. The API name for this attribute is GSS_C_ATTR_GENERIC_USERNAME, and it's actual attribute name is “urn:ietf:id:ietf-kitten-name-attrs-00-username”.</t>
<t>
The display form of user names is mechanism-specific.</t>
<t>
The non-display form of user names is mechanism-specific.</t>
</section>
<section title="Service Name" anchor="d1e377">
<t>
We add an attribute by which to obtain the component of an MN naming a service as part of a host- or domain-based service name. The API name for this attribute is GSS_C_ATTR_GENERIC_SERVICENAME, and it's actual attribute name is “urn:ietf:id:ietf-kitten-name-attrs-00-servicename”.</t>
<t>
The display and non-display forms of service names are the same: a character string corresponding to the service names used, for example, in calls to GSS_Import_name() with the GSS_C_NT_HOSTBASED_SERVICE name-type.</t>
</section>
<section title="Host Name" anchor="d1e389">
<t>
We add an attribute by which to obtain the component of an MN naming a host as part of a host- or domain-based service name. The API name for this attribute is GSS_C_ATTR_GENERIC_HOSTNAME, and it's actual attribute name is “urn:ietf:id:ietf-kitten-name-attrs-00-hostname”.</t>
<t>
The display form of a host name MAY be stylized and SHOULD use U-labels <xref target="RFC5890"/>.</t>
<t>
The non-display form of host names SHOULD be a character string as described in <xref target="RFC1123"/>, and SHOULD use A-labels <xref target="RFC5890"/>.</t>
</section>
<section title="Domain Name" anchor="d1e422">
<t>
We add an attribute by which to obtain the component of an MN naming a domain as part of a domain-based service name. The API name for this attribute is GSS_C_ATTR_GENERIC_DOMAINNAME, and it's actual attribute name is “urn:ietf:id:ietf-kitten-name-attrs-00-domainname”.</t>
<t>
The display form of a domain name MAY be stylized and SHOULD use U-labels <xref target="RFC5890"/>.</t>
<t>
The non-display form of domain names SHOULD be a character string as described in <xref target="RFC1035"/>, and SHOULD use A-labels <xref target="RFC5890"/>.</t>
</section>
</section>
<section title="Prefix Attributes" anchor="d1e456">
<t>
GSS_Get_name_attribute() using attributes described in the preceding section SHALL fail if there are any name constraints that can be applied to the issuers of those names and, in applying those constraints, it is discovered that the issuer was not permitted to issue credentials for the MN.</t>
<t>
For example, a Kerberos realm named “FOO.EXAMPLE” might not be expected to issue credentials (tickets, keys) to host-based service names for hosts not ending in “.foo.example” or which are not “foo.example”.</t>
<t>
Several generic attribute prefixes are described below for overriding this behavior.</t>
<section title="GSS_C_ATTR_GENERIC_UNCONSTRAINED" anchor="d1e471">
<t>
This attribute prefix, named GSS_C_ATTR_GENERIC_UNCONSTRAINED in the API, and with an actual name of “urn:ietf:id:ietf-kitten-name-attrs-00-gen-unconstrained”, indicates that the application wants the value of the prefixed attribute without any name constraint checking.</t>
</section>
<section title="GSS_C_ATTR_GENERIC_UNCONSTRAINED_OK" anchor="d1e480">
<t>
This attribute prefix, named GSS_C_ATTR_GENERIC_UNCONSTRAINED_OK in the API, and with an actual name of “urn:ietf:id:ietf-kitten-name-attrs-00-gen-unconstrained-ok”, indicates that the application wants the value of the prefixed attribute regardless of any applicable naming constraints, but to indicate the name constraint status via the 'authenticated' output parameter of the GSS_Get_name_attribute() interface.</t>
</section>
<section title="GSS_C_ATTR_GENERIC_FAST" anchor="d1e490">
<t>
This attribute prefix, named GSS_C_ATTR_GENERIC_FAST in the API, and with an actual name of “urn:ietf:id:ietf-kitten-name-attrs-00-gen-fast”, indicates that the application requires that the mechanism not perform any slow operations (e.g., connecting to a directory for the purposes of name constraint validation) in obtaining the prefixed attribute of the given MN.</t>
</section>
</section>
</section>
<section title="Local Name Attributes" anchor="d1e499">
<t>
Normally an Internet specification would not be expected to specify any local name attributes of GSS names. However, there is one common and very useful local name attribute, which we specify below. Implementations are free to use different names for this attribute or exclude it altogether -- it is a local name attribute, after all.</t>
<section title="GSS_C_ATTR_LOCAL_LOGIN_USER" anchor="d1e508">
<t>
This attribute, with suggested API name GSS_C_ATTR_LOCAL_LOGIN_USER, and suggested actual name “local-login-user”, requests a local user name corresponding to the given MN, if any.</t>
<t>
Obtaining the local user name corresponding to an MN may require complex name mapping or lookup operations that are completely implementation-defined.</t>
</section>
</section>
<section title="Suggested Mechanism-Specific Name Attributes (INFORMATIONAL)" anchor="d1e520">
<t>
<cref>
This section should really be split out into separate Internet-Drafts. It is here only because the author lacks the time at the moment of writing to create such separate I-Ds.</cref>
</t>
<section title="Suggested Kerberos-Specific Name Attributes" anchor="d1e529">
<t>
<list style="symbols">
<t>
realm (corresponding to issuer name)</t>
<t>
component 0 (first component of a principal name)</t>
<t>
component 1 (second component of a principal name)</t>
<t>
..</t>
<t>
component 9 (10th component of a principal name)</t>
<t>
components (ordered set of components of a principal name)</t>
<t>
transit path (ordered set of realm and CA names)</t>
<t>
specific authorization data elements</t>
<t>
PKINIT client certificate</t>
<t>
session key enctype</t>
<t>
enctypes involved in transit path (this would only be available to initiators)</t>
</list>
</t>
</section>
<section title="Suggested PKU2U-Specific Name Attributes" anchor="d1e570">
<t>
<cref>
Add reference to PKU2U.</cref>
</t>
<t>
<list style="symbols">
<t>
issuer CA name</t>
<t>
trust path to a trust anchor</t>
<t>
certificate</t>
<t>
certificate subject public key</t>
<t>
certificate subject name</t>
<t>
certificate subject alternate names</t>
<t>
specific certificate extensions</t>
<t>
certificate algorithm names</t>
<t>
session key enctype</t>
</list>
</t>
</section>
</section>
<section title="Security Considerations" anchor="d1e607">
<t>
[Add text regarding name constraint checking and explaining the default-to-safe design of the generic name attributes defined in section 2.]</t>
</section>
<section title="IANA Considerations" anchor="d1e616">
<t>
[Add text regarding the registration and assignment of the name attributes described in the preceding sections. In particular we should want these attributes' names to not reflect an Internet-Draft name, but an RFC number.]</t>
</section>
</middle>
<back>
<references title="Normative References">&rfc2119;
&rfc1035;
&rfc1123;
&rfc2743;
&rfc2744;
&rfc5890;
&rfc6680;
</references>
<references title="Informative References">&rfc4121;</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 09:19:02 |