1
2
3
4NETWORK WORKING GROUP                                        N. Williams
5Internet-Draft                                                       Sun
6Expires: April 17, 2006                                 October 14, 2005
7
8
9                       GSS-API Naming Extensions
10              draft-ietf-kitten-gssapi-naming-exts-01.txt
11
12Status of this Memo
13
14   By submitting this Internet-Draft, each author represents that any
15   applicable patent or other IPR claims of which he or she is aware
16   have been or will be disclosed, and any of which he or she becomes
17   aware will be disclosed, in accordance with Section 6 of BCP 79.
18
19   Internet-Drafts are working documents of the Internet Engineering
20   Task Force (IETF), its areas, and its working groups.  Note that
21   other groups may also distribute working documents as Internet-
22   Drafts.
23
24   Internet-Drafts are draft documents valid for a maximum of six months
25   and may be updated, replaced, or obsoleted by other documents at any
26   time.  It is inappropriate to use Internet-Drafts as reference
27   material or to cite them other than as "work in progress."
28
29   The list of current Internet-Drafts can be accessed at
30   http://www.ietf.org/ietf/1id-abstracts.txt.
31
32   The list of Internet-Draft Shadow Directories can be accessed at
33   http://www.ietf.org/shadow.html.
34
35   This Internet-Draft will expire on April 17, 2006.
36
37Copyright Notice
38
39   Copyright (C) The Internet Society (2005).
40
41Abstract
42
43   The Generic Security Services API (GSS-API) provides a simple naming
44   architecture that supports name-based authorization.  This document
45   introduces new APIs that extend the GSS-API naming and authorization
46   model.
47
48
49
50
51
52
53
54
55Williams                 Expires April 17, 2006                 [Page 1]
56
57Internet-Draft          GSS-API Naming Extensions           October 2005
58
59
60Table of Contents
61
62   1.      Conventions used in this document  . . . . . . . . . . . .  3
63   2.      Introduction . . . . . . . . . . . . . . . . . . . . . . .  3
64   3.      Name Attribute Sources and Criticality . . . . . . . . . .  3
65   4.      Name Attributes/Values as ACL Subjects . . . . . . . . . .  4
66   5.      Mapping Mechanism Facilities to Name Attributes  . . . . .  4
67   5.1.    Kerberos V and SPKM Authorization-Data . . . . . . . . . .  4
68   5.2.    Kerberos V Cross-Realm Transit Paths . . . . . . . . . . .  5
69   5.3.    PKIX Certificate Extensions  . . . . . . . . . . . . . . .  5
70   5.3.1.  PKIX EKUs  . . . . . . . . . . . . . . . . . . . . . . . .  6
71   5.3.2.  PKIX Certificate Alternative Names . . . . . . . . . . . .  6
72   5.3.3.  Other PKIX Certificate Extensions and Attributes . . . . .  6
73   5.4.    PKIX Certificate CA Paths and Trust Anchors  . . . . . . .  6
74   6.      GSS_Inquire_name_attribute() . . . . . . . . . . . . . . .  6
75   6.1.    C-Bindings . . . . . . . . . . . . . . . . . . . . . . . .  7
76   7.      GSS_Display_name_ext() . . . . . . . . . . . . . . . . . .  8
77   7.1.    C-Bindings . . . . . . . . . . . . . . . . . . . . . . . .  8
78   8.      GSS_Inquire_name() . . . . . . . . . . . . . . . . . . . .  9
79   8.1.    C-Bindings . . . . . . . . . . . . . . . . . . . . . . . .  9
80   9.      GSS_Get_name_attribute() . . . . . . . . . . . . . . . . . 10
81   9.1.    C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 11
82   10.     GSS_Set_name_attribute() . . . . . . . . . . . . . . . . . 11
83   10.1.   C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 12
84   11.     GSS_Delete_name_attribute()  . . . . . . . . . . . . . . . 12
85   11.1.   C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 13
86   12.     GSS_Export_name_composite()  . . . . . . . . . . . . . . . 13
87   12.1.   C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 14
88   13.     GSS_Map_name_to_any()  . . . . . . . . . . . . . . . . . . 14
89   13.1.   C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 15
90   14.     GSS_Release_any_name_mapping() . . . . . . . . . . . . . . 15
91   14.1.   C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . 16
92   15.     IANA Considerations  . . . . . . . . . . . . . . . . . . . 16
93   16.     Security Considerations  . . . . . . . . . . . . . . . . . 17
94   17.     Normative References . . . . . . . . . . . . . . . . . . . 17
95           Author's Address . . . . . . . . . . . . . . . . . . . . . 18
96           Intellectual Property and Copyright Statements . . . . . . 19
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111Williams                 Expires April 17, 2006                 [Page 2]
112
113Internet-Draft          GSS-API Naming Extensions           October 2005
114
115
1161.  Conventions used in this document
117
118   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120   document are to be interpreted as described in [RFC2119].
121
122
1232.  Introduction
124
125   As described in [I-D.GSS-NAMING] the GSS-API's naming architecture
126   suffers from certain limitations.  This document proposes concrete
127   GSS-API extensions as outlined in [I-D.GSS-NAMING].
128
129   A number of extensions to the GSS-API [RFC2743] and its C Bindings
130   [RFC2744] are described herein with the goal of making authorization
131   information, and other information that can be modelled as "name
132   attributes" available as such to applications.  For example, Kerberos
133   V authorization data elements, both, in their raw forms as well as
134   mapped to more useful value types, can be made available to GSS-API
135   applications through these interfaces.
136
137   The model is that GSS names have attributes.  The attributes of a
138   name may be authenticated by the credential whence the name comes, or
139   may have been set locally on a GSS name for the purpose of
140   "asserting" the attribute during credential acquisition or security
141   context exchange.  Name attributes' values are network
142   representations thereof (e.g., the actual value octets of the
143   contents of an X.509 certificate extension, for example) and are
144   intended to be useful for constructing portable access control
145   facilities.  Applications may often require language- or platform-
146   specific data types, rather than network representations of name
147   attributes, so a function is provided to obtain objects of such types
148   associated with names and name attributes.
149
150
1513.  Name Attribute Sources and Criticality
152
153   A given GSS name object's name attributes may be authenticated or
154   asserted by an associated credential, or it may be mapped or derived
155   from another attribute of the same name.
156
157   That a given name's given attribute is 'mapped' means that it was
158   obtained through some mapping mechanism applied to another attribute
159   of the name that was not, itself, mapped.  For example, such
160   attributes as platform-specific internal identifiers may sometimes be
161   mapped from other name attributes.
162
163   Name attributes may be "critical," meaning that applications that do
164
165
166
167Williams                 Expires April 17, 2006                 [Page 3]
168
169Internet-Draft          GSS-API Naming Extensions           October 2005
170
171
172   not understand them MUST reject security contexts where the peer has
173   such unknown, critical attributes.
174
175
1764.  Name Attributes/Values as ACL Subjects
177
178   Some name attributes (e.g., numeric user or group identifiers) may be
179   useful as subjects of access control list (ACL) entries, some may not
180   (e.g., time of day login restrictions).  The
181   GSS_Inquire_name_attribute() function indicates this.
182
183   To facilitate the development of portable applications that make use
184   of name attributes to construct and evaluate portable ACLs the GSS-
185   API makes name attribute values available in canonical network
186   encodings thereof.
187
188   To facilitate the development of platform- or language-specific
189   applications that need access to native types of representations of
190   name attributes an optional facility is provided,
191   GSS_Map_name_to_any().
192
193
1945.  Mapping Mechanism Facilities to Name Attributes
195
196   [NOTE: This entire section should probably be split into one or more
197   separate Internet-Drafts.  It is here in the -00 of this I-D to help
198   readers understand how to mechanism-specific name attributes would be
199   accessed through these GSS-API extensions.]
200
201   Kerberos V [I-D.ietf-krb-wg-kerberos-clarifications] and the Simple
202   Public-Key GSS-API Mechanism, SPKM [RFC2025], both support the
203   concept and encoding of containers of "authorization-data" as
204   described in [I-D.ietf-krb-wg-kerberos-clarifications].
205
206   PKIX [RFC3280] supports a number of authorization-data-like features,
207   like Extended Key Usage values (EKUs) and certificate extensions.
208
209   The authorization data can be accessed through the GSS-API name
210   attributes facility defined herein.
211
2125.1.  Kerberos V and SPKM Authorization-Data
213
214   Authorization-data non-container elements asserted in Kerberos V AP-
215   REQ Authenticators MUST be mapped into *asserted* GSS-API name
216   attributes; if not contained in AD-IF-RELEVANT then they MUST be
217   mapped into *critical* GSS-API name attributes.  AD-AND-OR
218   authorization-data elements MUST be mapped into a single *critical*
219   attribute, (TBD).
220
221
222
223Williams                 Expires April 17, 2006                 [Page 4]
224
225Internet-Draft          GSS-API Naming Extensions           October 2005
226
227
228   Authorization-data included in Kerberos V Tickets that is not
229   contained in AD-KDCIssued (with valid signature) MUST be mapped into
230   *asserted* GSS-API name attributes.  Conversely, authorization-data
231   elements in Kerberos V Tickets contained by AD-KDCIssued MUST be
232   mapped into *authenticated* GSS-API name attributes
233
234   As with authorization-data elements in Authenticators, authorization-
235   data elements in Tickets not contained in AD-IF-RELEVANT are to be
236   mapped to *critical* name attributes, and similarly with AD-AND-OR
237   (see above).
238
239   The OIDs for authorization-data elements are to be the authorization-
240   data element's 'ad-type' integer ID, relative to the base OID <TBD>
241   [NOTE: what about negative ad-type's?  OID arcs are positive
242   integers... ad-type is an Int32, so clearly something can be done.]
243
2445.2.  Kerberos V Cross-Realm Transit Paths
245
246   [Add text on how to represent/encode/interpret krb5 realm transit
247   paths as name attribute values.  And text on PKINIT too...  Basically
248   Ticket's 'transited' field should be exposed as an authenticated name
249   attribute, with some uncompressed encoding, possibly encompassing
250   certificate validation paths of client certs used for PKINIT, with
251   criticality determined by the presence of the transit-policy-checked
252   flag.]
253
2545.3.  PKIX Certificate Extensions
255
256   [NOTE: In the Kerberos V authorization-data case we can tell when AD
257   elements are "authenticated" and when the are asserted, but what
258   about x.509 certificate extensions?  Clearly KU, EKUs and
259   subjectAltNames are authenticated in that no CA should sign a cert
260   with, say, arbitrary subjectAltNames not understood by the CA, but,
261   does that also apply to all other x.509 certificate extensions?  The
262   answer may depend on actual CA operator practices...  At worst a new
263   extension may be needed, like Kerberos V's AD-KDCIssued AD container
264   element; at best this text can just say "all cert extensions MUST be
265   mapped to authenticated..." below.]
266
267   PKI certificate extensions MAY/SHOULD/MUST (see comment above) be
268   mapped to *authenticated* GSS-API name attributes with the _same_
269   OIDs, and if they be marked critical in the certificate then they
270   MUST be mapped as *critical* GSS-API name attributes.
271   SubjectAltNames and EKUs, specifically, MUST be mapped to
272   *authenticated* GSS-API name attributes; see below.  Certificate
273   extensions MUST be mapped to GSS-API name attributes whose OIDs are
274   the same as the extensions'
275
276
277
278
279Williams                 Expires April 17, 2006                 [Page 5]
280
281Internet-Draft          GSS-API Naming Extensions           October 2005
282
283
2845.3.1.  PKIX EKUs
285
286   Extended Key Usage extensions, specifically, MUST be mapped as
287   described above, except that GSS-API name attributes for EKUs MUST
288   have NULL values (i.e., zero-length OCTET STRINGs).
289
290   PKI certificate key usages (KUs, but not EKUs), MUST NOT be mapped to
291   GSS-API name attributes.
292
2935.3.2.  PKIX Certificate Alternative Names
294
295   PKI certificate subjectAltNames MUST be mapped as *authenticated*,
296   *non-critical* GSS-API name attributes.
297
298   PKI certificate extensions MUST be mapped to *authenticated* GSS-API
299   name attributes with the _same_ OIDs, and if they be marked critical
300   in the certificate then they MUST be mapped as *critical* GSS-API
301   name attributes.
302
303   Extended Key Usage extensions, specifically, MUST be mapped as
304   described above, except that GSS-API name attributes for EKUs MUST
305   have NULL values (i.e., zero-length OCTET STRINGs).
306
3075.3.3.  Other PKIX Certificate Extensions and Attributes
308
309   [Add text...]
310
3115.4.  PKIX Certificate CA Paths and Trust Anchors
312
313   [Add text on how to represent/encode/interpret PKI certificate
314   validation CA paths as name attribute values, much as with Kerberos V
315   transited paths.]
316
317
3186.  GSS_Inquire_name_attribute()
319
320   [NOTE: This function was somewhat controversial at IETF63; we should
321   decide whether to remove it at IETF64.  The controversy was, as I
322   recall over whether reflection functionality might not be dangerous,
323   leading to construction of inappropriate ACLs through dumb UIs.  For
324   now I am making some changes to it: adding a NAME object as an input
325   parameter and some output parameters.]
326
327   Inputs:
328
329
330   o  name NAME
331
332
333
334
335Williams                 Expires April 17, 2006                 [Page 6]
336
337Internet-Draft          GSS-API Naming Extensions           October 2005
338
339
340   o  attr OBJECT IDENTIFIER
341
342   Outputs:
343
344
345   o  major_status INTEGER,
346
347   o  minor_status INTEGER,
348
349   o  attr_name OCTET STRING, -- display name of the attribute
350
351   o  attr_description OCTET STRING, -- description of the attribute
352
353   o  attr_values_ordered BOOLEAN, -- whether the attribute's values are
354      an ordered set
355
356   o  attr_is_a_name BOOLEAN, -- whether the attribute's values can be
357      used as subjects of access control list entries
358
359   o  attr_is_trust_indicator BOOLEAN -- whether the attribute's values
360      represent nodes in trust paths
361
362   Return major_status codes:
363
364   o  GSS_S_COMPLETE indicates no error.
365
366   o  GSS_S_UNAVAILABLE indicates that the given attribute OID is not
367      known (even if present as a name's attribute).
368
369   o  GSS_S_FAILURE indicates a general error.
370
371   This function outputs a name for the given name attribute,
372   description for display to users, and indicates whether the
373   attribute's values are ordered sets, whether the given name
374   attribute's values are useful as the subject of an access control
375   list entry and/or whether the given name attribute's values are
376   useful as indicators of trust (for example, whether they name PKIX
377   trust anchors).
378
3796.1.  C-Bindings
380
381   OM_uint32 gss_inquire_name_attribute(
382     OM_uint32                     *minor_status,
383     gss_name_t                    name,
384     gss_OID                       attr,
385     gss_buffer_t                  attr_name,
386     gss_buffer_t                  attr_description,
387     int                           attr_values_ordered,
388
389
390
391Williams                 Expires April 17, 2006                 [Page 7]
392
393Internet-Draft          GSS-API Naming Extensions           October 2005
394
395
396     int                           *attr_is_a_name,
397     int                           *attr_is_trust_indicator
398   );
399
400
4017.  GSS_Display_name_ext()
402
403   Inputs:
404
405
406   o  name NAME,
407
408   o  display_as_name_type OBJECT IDENTIFIER
409
410   Outputs:
411
412
413   o  major_status INTEGER,
414
415   o  minor_status INTEGER,
416
417   o  display_name STRING
418
419   Return major_status codes:
420
421   o  GSS_S_COMPLETE indicates no error.
422
423   o  GSS_S_UNAVAILABLE indicates that the given name could not be
424      displayed using the syntax of the given name type.
425
426   o  GSS_S_FAILURE indicates a general error.
427
428   This function displays a given name using the given name syntax, if
429   possible.  This operation may require mapping MNs to generic name
430   syntaxes or generic name syntaxes to mechanism-specific name
431   syntaxes; such mappings may not always be feasible and MAY be inexact
432   or lossy.
433
4347.1.  C-Bindings
435
436   OM_uint32 GSS_Display_name_ext(
437     OM_uint32                     *minor_status,
438     gss_name_t                    name,
439     gss_OID                       display_as_name_type,
440     gss_buffer_t                  display_name
441   );
442
443
444
445
446
447Williams                 Expires April 17, 2006                 [Page 8]
448
449Internet-Draft          GSS-API Naming Extensions           October 2005
450
451
4528.  GSS_Inquire_name()
453
454   Inputs:
455
456
457   o  name NAME
458
459   Outputs:
460
461
462   o  major_status INTEGER,
463
464   o  minor_status INTEGER,
465
466   o  name_is_MN BOOLEAN,
467
468   o  mn_mech OBJECT IDENTIFIER,
469
470   o  asserted_attrs SET OF OBJECT IDENTIFIER,
471
472   o  authenticated_attrs SET OF OBJECT IDENTIFIER,
473
474   o  critical_attrs SET OF OBJECT IDENTIFIER,
475
476   o  all_attrs SET OF OBJECT IDENTIFIER,
477
478   o  [NOTE: Perhaps this function should also output an indicator as to
479      the provenance of the name, of which, in the GSS-API, there are
480      three: imported, inquired from a credential, and a peer's name
481      inquired from a security context.]
482
483   Return major_status codes:
484
485   o  GSS_S_COMPLETE indicates no error.
486
487   o  GSS_S_FAILURE indicates a general error.
488
489   This function outputs the sets of attributes of a name, that are
490   authenticated, asserted or critical.  It also indicates if a given
491   NAME is an MN or not and, if it is, what mechanism it's an MN of.
492
4938.1.  C-Bindings
494
495   OM_uint32 gss_inquire_name(
496     OM_uint32                     *minor_status,
497     gss_name_t                    name,
498     int                           name_is_MN,
499     gss_OID                       *MN_mech,
500
501
502
503Williams                 Expires April 17, 2006                 [Page 9]
504
505Internet-Draft          GSS-API Naming Extensions           October 2005
506
507
508     gss_OID_set                   *authenticated,
509     gss_OID_set                   *asserted,
510     gss_OID_set                   *critical,
511     gss_OID_set                   *all_attrs
512   );
513
514
5159.  GSS_Get_name_attribute()
516
517   Inputs:
518
519
520   o  name NAME,
521
522   o  attr OBJECT IDENTIFIER
523
524   Outputs:
525
526
527   o  major_status INTEGER,
528
529   o  minor_status INTEGER,
530
531   o  authenticated BOOLEAN, -- FALSE if asserted but not authenticated
532      by a trusted entity
533
534   o  negative BOOLEAN,
535
536   o  mapped BOOLEAN,
537
538   o  critical BOOLEAN,
539
540   o  values SET OF OCTET STRING,
541
542   o  display_values SET OF STRING
543
544   Return major_status codes:
545
546   o  GSS_S_COMPLETE indicates no error.
547
548   o  GSS_S_UNAVAILABLE indicates that the given attribute OID is not
549      known or set.
550
551   o  GSS_S_FAILURE indicates a general error.
552
553   This function outputs the value(s) associated with a given GSS name
554   object for a given name attribute.
555
556
557
558
559Williams                 Expires April 17, 2006                [Page 10]
560
561Internet-Draft          GSS-API Naming Extensions           October 2005
562
563
564   NOTE: This function relies on the GSS-API notion of "SET OF" allowing
565   for order preservation; this has been discussed on the KITTEN WG
566   mailing list and the consensus seems to be that, indeed, that was
567   always the intention.
568
5699.1.  C-Bindings
570
571   The C-bindings of GSS_Get_name_attribute() requires one function call
572   per-attribute value, for multi-valued name attributes.  This is done
573   by using a single gss_buffer_t for each value and an input/output
574   integer parameter to distinguish initial and subsequent calls and to
575   indicate when all values have been obtained.
576
577   The 'more' input/output parameter should point to an integer variable
578   whose value, on first call to gss_name_attribute_get() MUST be -1,
579   and whose value upon function call return will be non-zero to
580   indicate that additional values remain, or zero to indicate that no
581   values remain.  The caller should not modify this parameter after the
582   initial call.
583
584   OM_uint32 gss_get_name_attribute(
585     OM_uint32                     *minor_status,
586     gss_name_t                    name,
587     gss_OID                       attr,
588     int                           *authenticated,
589     int                           *negative,
590     int                           *mapped,
591     int                           *critical,
592     gss_buffer_t                  value,
593     gss_buffer_t                  display_value,
594     int                           *more
595   );
596
597
59810.  GSS_Set_name_attribute()
599
600   Inputs:
601
602
603   o  name NAME,
604
605   o  critical BOOLEAN,
606
607   o  negative BOOLEAN,
608
609   o  attr OBJECT IDENTIFIER,
610
611   o  values SET OF OCTET STRING
612
613
614
615Williams                 Expires April 17, 2006                [Page 11]
616
617Internet-Draft          GSS-API Naming Extensions           October 2005
618
619
620   Outputs:
621
622
623   o  major_status INTEGER,
624
625   o  minor_status INTEGER
626
627   Return major_status codes:
628
629   o  GSS_S_COMPLETE indicates no error.
630
631   o  GSS_S_UNAVAILABLE indicates that the given attribute OID is not
632      known or could not be set.
633
634   o  GSS_S_FAILURE indicates a general error.
635
636   NOTE: This function relies on the GSS-API notion of "SET OF" allowing
637   for order preservation; this has been discussed on the KITTEN WG
638   mailing list and the consensus seems to be that, indeed, that was
639   always the intention.
640
64110.1.  C-Bindings
642
643   The C-bindings of GSS_Set_name_attribute() requires one function call
644   per-attribute value, for multi-valued name attributes -- each call
645   adds one value.  To replace an attribute's every value delete the
646   attribute's values first with GSS_Delete_name_attribute().
647
648   OM_uint32 gss_set_name_attribute(
649     OM_uint32                     *minor_status,
650     gss_name_t                    name,
651     int                           critical,
652     int                           negative,
653     gss_OID                       attr,
654     gss_buffer_t                  value
655   );
656
657
65811.  GSS_Delete_name_attribute()
659
660   Inputs:
661
662
663   o  name NAME,
664
665   o  attr OBJECT IDENTIFIER,
666
667   Outputs:
668
669
670
671Williams                 Expires April 17, 2006                [Page 12]
672
673Internet-Draft          GSS-API Naming Extensions           October 2005
674
675
676   o  major_status INTEGER,
677
678   o  minor_status INTEGER
679
680   Return major_status codes:
681
682   o  GSS_S_COMPLETE indicates no error.
683
684   o  GSS_S_UNAVAILABLE indicates that the given attribute OID is not
685      known.
686
687   o  GSS_S_FAILURE indicates a general error.
688
689   Deletion of negative authenticated attributes from NAME objects MUST
690   NOT be allowed.  [Do we need a new major status code for "permission
691   denied"?]
692
69311.1.  C-Bindings
694
695   OM_uint32 gss_delete_name_attribute(
696     OM_uint32                     *minor_status,
697     gss_name_t                    name,
698     gss_OID                       attr
699   );
700
701
70212.  GSS_Export_name_composite()
703
704   Inputs:
705
706
707   o  name NAME
708
709   Outputs:
710
711
712   o  major_status INTEGER,
713
714   o  minor_status INTEGER,
715
716   o  exp_composite_name OCTET STRING
717
718   Return major_status codes:
719
720   o  GSS_S_COMPLETE indicates no error.
721
722   o  GSS_S_FAILURE indicates a general error.
723
724
725
726
727Williams                 Expires April 17, 2006                [Page 13]
728
729Internet-Draft          GSS-API Naming Extensions           October 2005
730
731
732   This function outputs a token which can be imported with
733   GSS_Import_name(), using GSS_C_NT_COMPOSITE_EXPORT as the name type
734   and which preserves any name attribute information associated with
735   the input name (which GSS_Export_name() may well not).  The token
736   format is no specified here as this facility is intended for inter-
737   process communication only; however, all such tokens MUST start with
738   a two-octet token ID, hex 04 02, in network byte order.
739
740   The OID for GSS_C_NT_COMPOSITE_EXPORT is <TBD>.
741
74212.1.  C-Bindings
743
744   OM_uint32 gss_export_name_composite(
745     OM_uint32                     *minor_status,
746     gss_name_t                    name,
747     gss_buffer_t                  exp_composite_name
748   );
749
750
75113.  GSS_Map_name_to_any()
752
753   Inputs:
754
755
756   o  name NAME,
757
758   o  authenticated BOOLEAN, -- if TRUE no data will be output unless it
759      is authenticated
760
761   o  type_id OBJECT IDENTIFIER
762
763   Outputs:
764
765
766   o  major_status INTEGER,
767
768   o  minor_status INTEGER,
769
770   o  output ANY DEFINED BY type_id
771
772   Return major_status codes:
773
774   o  GSS_S_COMPLETE indicates no error.
775
776   o  GSS_S_UNAVAILABLE indicates that the mapping or conversion could
777      not be done.  The minor status code may provide additional
778      information.
779
780
781
782
783Williams                 Expires April 17, 2006                [Page 14]
784
785Internet-Draft          GSS-API Naming Extensions           October 2005
786
787
788   o  GSS_S_FAILURE indicates a general error.  The minor status code
789      may provide additional information.
790
791   Whereas name attribute's values are encoded in some network
792   representation applications often require native, language- and/or
793   platform-specific data types.  This function provides access to such
794   types.
795
79613.1.  C-Bindings
797
798   typedef struct gss_any *gss_any_t;
799   OM_uint32 gss_map_name_to_any(
800     OM_uint32                     *minor_status,
801     gss_name_t                    name,
802     int                           authenticated,
803     gss_OID                       type_id,
804     gss_any_t                     output
805   );
806
807   Note the new C bindings type, gss_any_t.  We define it as a pointer
808   to an incompletely declared struct.
809
810
81114.  GSS_Release_any_name_mapping()
812
813   Inputs:
814
815
816   o  name NAME,
817
818   o  type_id OBJECT IDENTIFIER,
819
820   o  input ANY DEFINED BY type_id
821
822   Outputs:
823
824
825   o  major_status INTEGER,
826
827   o  minor_status INTEGER,
828
829   Return major_status codes:
830
831   o  GSS_S_COMPLETE indicates no error.
832
833   o  GSS_S_UNAVAILABLE indicates that the mapping or conversion could
834      not be done.  The minor status code may provide additional
835      information.
836
837
838
839Williams                 Expires April 17, 2006                [Page 15]
840
841Internet-Draft          GSS-API Naming Extensions           October 2005
842
843
844   o  GSS_S_FAILURE indicates a general error.  The minor status code
845      may provide additional information.
846
847   This function releases, if possible, the objects of language- and/or
848   platform-specific types output by GSS_Map_name_to_any().  If such
849   types have native release functions applications MAY use either those
850   or this function to release the given object.
851
85214.1.  C-Bindings
853
854   typedef struct gss_any *gss_any_t;
855   OM_uint32 gss_release_any_name_mapping(
856     OM_uint32                     *minor_status,
857     gss_name_t                    name,
858     gss_OID                       type_id,
859     gss_any_t                     *input
860   );
861
862
86315.  IANA Considerations
864
865   This document creates a namespace of GSS-API name attributes.
866   Attributes are named by OID, so no single authority might be needed
867   for allocation, however, in the interest of providing the community
868   with an authority for name attribute OID allocation and a way to find
869   the existing set of name attributes, the IANA should establish both,
870   a single OID off of which name attributes could be allocated, and a
871   registry of known GSS name attributes.
872
873   GSS-API name attribute registry entries should contain all the
874   information that GSS_Inquire_name_attribute() may return about the
875   given name attributes and their OIDs:
876
877   o  a name attribute OID (this is a unique key)
878
879   o  a name attribute symbolic name, starting with "GSS_C_NA_" (this is
880      a unique key)
881
882   o  a brief description, in English
883
884   o  whether the attribute is useful as the subject of access control
885      list entries
886
887   o  whether the attribute is useful as an indicator of trust
888
889   o  an optional normative reference to documentation for the given
890      name attribute
891
892
893
894
895Williams                 Expires April 17, 2006                [Page 16]
896
897Internet-Draft          GSS-API Naming Extensions           October 2005
898
899
900   The allocation and registration policy should be first come, first
901   served.  Registry entries' OIDs need not be based on the base OID
902   given above.
903
904
90516.  Security Considerations
906
907   <TBA>
908
909   [In particular, the status of a name attribute as "authenticated" vs.
910   "asserted" requires close review, particularly with respect to PKIX
911   certificate extensions.]
912
913   [Also, we need to work out the security considerations of (and
914   possibly remove) negative attributes.]
915
91617.  Normative References
917
918   [I-D.GSS-NAMING]
919              Hartman, S., "Desired Enhancements to GSSAPI Naming",
920              draft-ietf-kitten-gss-naming-01.txt (work in progress),
921              February 2005.
922
923   [I-D.ietf-krb-wg-kerberos-clarifications]
924              Neuman, C., "The Kerberos Network Authentication Service
925              (V5)", draft-ietf-krb-wg-kerberos-clarifications-07 (work
926              in progress), September 2004.
927
928   [RFC2025]  Adams, C., "The Simple Public-Key GSS-API Mechanism
929              (SPKM)", RFC 2025, October 1996.
930
931   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
932              Requirement Levels", BCP 14, RFC 2119, March 1997.
933
934   [RFC2743]  Linn, J., "Generic Security Service Application Program
935              Interface Version 2, Update 1", RFC 2743, January 2000.
936
937   [RFC2744]  Wray, J., "Generic Security Service API Version 2 :
938              C-bindings", RFC 2744, January 2000.
939
940   [RFC3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
941              X.509 Public Key Infrastructure Certificate and
942              Certificate Revocation List (CRL) Profile", RFC 3280,
943              April 2002.
944
945
946
947
948
949
950
951Williams                 Expires April 17, 2006                [Page 17]
952
953Internet-Draft          GSS-API Naming Extensions           October 2005
954
955
956Author's Address
957
958   Nicolas Williams
959   Sun Microsystems
960   5300 Riata Trace Ct
961   Austin, TX  78727
962   US
963
964   Email: Nicolas.Williams@sun.com
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007Williams                 Expires April 17, 2006                [Page 18]
1008
1009Internet-Draft          GSS-API Naming Extensions           October 2005
1010
1011
1012Intellectual Property Statement
1013
1014   The IETF takes no position regarding the validity or scope of any
1015   Intellectual Property Rights or other rights that might be claimed to
1016   pertain to the implementation or use of the technology described in
1017   this document or the extent to which any license under such rights
1018   might or might not be available; nor does it represent that it has
1019   made any independent effort to identify any such rights.  Information
1020   on the procedures with respect to rights in RFC documents can be
1021   found in BCP 78 and BCP 79.
1022
1023   Copies of IPR disclosures made to the IETF Secretariat and any
1024   assurances of licenses to be made available, or the result of an
1025   attempt made to obtain a general license or permission for the use of
1026   such proprietary rights by implementers or users of this
1027   specification can be obtained from the IETF on-line IPR repository at
1028   http://www.ietf.org/ipr.
1029
1030   The IETF invites any interested party to bring to its attention any
1031   copyrights, patents or patent applications, or other proprietary
1032   rights that may cover technology that may be required to implement
1033   this standard.  Please address the information to the IETF at
1034   ietf-ipr@ietf.org.
1035
1036
1037Disclaimer of Validity
1038
1039   This document and the information contained herein are provided on an
1040   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1041   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1042   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1043   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1044   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1045   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1046
1047
1048Copyright Statement
1049
1050   Copyright (C) The Internet Society (2005).  This document is subject
1051   to the rights, licenses and restrictions contained in BCP 78, and
1052   except as set forth therein, the authors retain all their rights.
1053
1054
1055Acknowledgment
1056
1057   Funding for the RFC Editor function is currently provided by the
1058   Internet Society.
1059
1060
1061
1062
1063Williams                 Expires April 17, 2006                [Page 19]
1064
1065
1066