1NETWORK WORKING GROUP                                        N. Williams
2Internet-Draft                                                       Sun
3Expires: December 30, 2004                                     July 2004
4
5
6
7   GSS-API Domain-Based Service Names Mapping for the Kerberos V GSS
8                               Mechanism
9          draft-williams-krb5-gssapi-domain-based-names-00.txt
10
11
12Status of this Memo
13
14
15   By submitting this Internet-Draft, I certify that any applicable
16   patent or other IPR claims of which I am aware have been disclosed,
17   and any of which I become aware will be disclosed, in accordance with
18   RFC 3668.
19
20
21   Internet-Drafts are working documents of the Internet Engineering
22   Task Force (IETF), its areas, and its working groups.  Note that
23   other groups may also distribute working documents as
24   Internet-Drafts.
25
26
27   Internet-Drafts are draft documents valid for a maximum of six months
28   and may be updated, replaced, or obsoleted by other documents at any
29   time.  It is inappropriate to use Internet-Drafts as reference
30   material or to cite them other than as "work in progress."
31
32
33   The list of current Internet-Drafts can be accessed at
34   http://www.ietf.org/ietf/1id-abstracts.txt.
35
36
37   The list of Internet-Draft Shadow Directories can be accessed at
38   http://www.ietf.org/shadow.html.
39
40
41   This Internet-Draft will expire on December 30, 2004.
42
43
44Copyright Notice
45
46
47   Copyright (C) The Internet Society (2004).  All Rights Reserved.
48
49
50Abstract
51
52
53   This document describes the mapping of GSS-API domainname-based
54   service principal names onto Kerberos V principal names.
55
56
57
58
59
60
61
62
63
64
65
66Williams               Expires December 30, 2004                [Page 1]
67Internet-Draft        Kerberos Domain Based Names              July 2004
68
69
70
71Table of Contents
72
73
74   1. Conventions used in this document  . . . . . . . . . . . . . . . 3
75   2. Domain-Based Names for the Kerberos V GSS-API Mechanism  . . . . 4
76   3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
77   4. Security Considerations  . . . . . . . . . . . . . . . . . . . . 6
78   5. Normative  . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
79      Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
80      Intellectual Property and Copyright Statements . . . . . . . . . 7
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124Williams               Expires December 30, 2004                [Page 2]
125Internet-Draft        Kerberos Domain Based Names              July 2004
126
127
128
1291.  Conventions used in this document
130
131
132   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
133   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
134   document are to be interpreted as described in [RFC2119].
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182Williams               Expires December 30, 2004                [Page 3]
183Internet-Draft        Kerberos Domain Based Names              July 2004
184
185
186
1872.  Domain-Based Names for the Kerberos V GSS-API Mechanism
188
189
190   In accordance with [DOMAIN-BASED-NAMES] this document provides the
191   mechanism-specific details needed to implement GSS-API [RFC2743]
192   domain-based service names with the Kerberos V GSS-API mechanism
193   [RFC1964].
194
195
196   GSS_C_NT_DOMAINBASED_SERVICE name are mapped to Kerberos V principal
197   names as follows:
198   o  the <service> name becomes the first (0th) component of the
199      Kerberos V principal name;
200   o  the <domain> name becomes the second component of the Kerberos V
201      principal name; if the <domain> name is missing in the GSS name
202      then a default domain name MUST be substituted (though no
203      mechanism for determining this default is given here; this is an
204      implementation-specific detail);
205   o  the <hostname>, if present, becomes the third component of the
206      Kerberos V principal name;
207   o  the realm of the resulting principal name is that which
208      corresponds to the domain name, treated as a hostname, or, if none
209      can be determined in this way, then the realm of the hostname, if
210      present, and, finally, if that is not possible, the default realm
211      for the GSS-API caller.
212
213
214   The same name canonicalization considerations and methods as used
215   elsewhere in the Kerberos V GSS-API mechanism [RFC1964] and Kerberos
216   V [RFC1510] in general apply here.
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242Williams               Expires December 30, 2004                [Page 4]
243Internet-Draft        Kerberos Domain Based Names              July 2004
244
245
246
2473.  Examples
248
249
250   o  "ldap@@ds1.example.tld" may map to "ldap/example.tld/
251      ds1.example.tld@EXAMPLE.TLD"
252   o  "ldap@example.tld@ds1.example.tld" may map to "ldap/example.tld/
253      ds1.example.tld@EXAMPLE.TLD"
254
255
256   o  "kadmin@@kdc1.example.tld" may map to "kadmin/example.tld/
257      kdc1.example.tld@EXAMPLE.TLD"
258   o  "kadmin@example.tld@kdc1.example.tld" may map to "kadmin/
259      example.tld/kdc1.example.tld@EXAMPLE.TLD"
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301Williams               Expires December 30, 2004                [Page 5]
302Internet-Draft        Kerberos Domain Based Names              July 2004
303
304
305
3064.  Security Considerations
307
308
309   See [DOMAIN-BASED-NAMES].
310
311
3125  Normative
313
314
315   [RFC1510]  Kohl, J. and B. Neuman, "The Kerberos Network
316              Authentication Service (V5)", RFC 1510, September 1993.
317
318
319   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
320              1964, June 1996.
321
322
323   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
324              Requirement Levels", BCP 14, RFC 2119, March 1997.
325
326
327   [RFC2743]  Linn, J., "Generic Security Service Application Program
328              Interface Version 2, Update 1", RFC 2743, January 2000.
329
330
331
332Author's Address
333
334
335   Nicolas Williams
336   Sun Microsystems
337   5300 Riata Trace Ct
338   Austin, TX  78727
339   US
340
341
342   EMail: Nicolas.Williams@sun.com
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367Williams               Expires December 30, 2004                [Page 6]
368Internet-Draft        Kerberos Domain Based Names              July 2004
369
370
371
372Intellectual Property Statement
373
374
375   The IETF takes no position regarding the validity or scope of any
376   Intellectual Property Rights or other rights that might be claimed to
377   pertain to the implementation or use of the technology described in
378   this document or the extent to which any license under such rights
379   might or might not be available; nor does it represent that it has
380   made any independent effort to identify any such rights.  Information
381   on the procedures with respect to rights in RFC documents can be
382   found in BCP 78 and BCP 79.
383
384
385   Copies of IPR disclosures made to the IETF Secretariat and any
386   assurances of licenses to be made available, or the result of an
387   attempt made to obtain a general license or permission for the use of
388   such proprietary rights by implementers or users of this
389   specification can be obtained from the IETF on-line IPR repository at
390   http://www.ietf.org/ipr.
391
392
393   The IETF invites any interested party to bring to its attention any
394   copyrights, patents or patent applications, or other proprietary
395   rights that may cover technology that may be required to implement
396   this standard.  Please address the information to the IETF at
397   ietf-ipr@ietf.org.
398
399
400
401Disclaimer of Validity
402
403
404   This document and the information contained herein are provided on an
405   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
406   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
407   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
408   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
409   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
410   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
411
412
413
414Copyright Statement
415
416
417   Copyright (C) The Internet Society (2004).  This document is subject
418   to the rights, licenses and restrictions contained in BCP 78, and
419   except as set forth therein, the authors retain all their rights.
420
421
422
423Acknowledgment
424
425
426   Funding for the RFC Editor function is currently provided by the
427   Internet Society.
428
429
430
431
432Williams               Expires December 30, 2004                [Page 7]