summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5179.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5179.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5179.txt')
-rw-r--r--doc/rfc/rfc5179.txt283
1 files changed, 283 insertions, 0 deletions
diff --git a/doc/rfc/rfc5179.txt b/doc/rfc/rfc5179.txt
new file mode 100644
index 0000000..dcc9a0c
--- /dev/null
+++ b/doc/rfc/rfc5179.txt
@@ -0,0 +1,283 @@
+
+
+
+
+
+
+Network Working Group N. Williams
+Request for Comments: 5179 Sun
+Category: Standards Track May 2008
+
+
+ Generic Security Service Application Program Interface (GSS-API)
+ Domain-Based Service Names Mapping for the Kerberos V GSS Mechanism
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Abstract
+
+ This document describes the mapping of Generic Security Service
+ Application Program Interface (GSS-API) domain-name-based service
+ principal names onto Kerberos V principal names.
+
+Table of Contents
+
+ 1. Domain-Based Names for the Kerberos V GSS-API Mechanism . . . . 2
+ 2. Conventions Used in This Document . . . . . . . . . . . . . . . 2
+ 3. Internationalization Considerations . . . . . . . . . . . . . . 2
+ 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 3
+ 6. Normative References . . . . . . . . . . . . . . . . . . . . . 3
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Standards Track [Page 1]
+
+RFC 5179 Kerberos Domain-Based Names May 2008
+
+
+1. Domain-Based Names for the Kerberos V GSS-API Mechanism
+
+ In accordance with [RFC5178], this document provides the mechanism-
+ specific details needed to implement GSS-API [RFC2743] domain-based
+ service names with the Kerberos V GSS-API mechanism [RFC4121].
+
+ GSS_C_NT_DOMAINBASED_SERVICE name SHOULD be mapped to Kerberos V
+ principal names as follows:
+
+ o the <service> name becomes the first (0th) component of the
+ Kerberos V principal name;
+
+ o the <hostname> becomes the second component of the Kerberos V
+ principal name;
+
+ o the <domain> name becomes the third component of the Kerberos V
+ principal name;
+
+ o the realm of the resulting principal name is that which
+ corresponds to the domain name, treated as a hostname.
+
+ The same name canonicalization considerations and methods as used
+ elsewhere in the Kerberos V GSS-API mechanism [RFC4121] and Kerberos
+ V [RFC4120] in general apply here.
+
+ Implementations SHOULD use a Kerberos V name-type of
+ NTT-SRVT-HST-DOMAIN (which has the value 12) but MAY use NT-UNKNOWN
+ instead.
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+3. Internationalization Considerations
+
+ It is unclear, at this time, how best to address internationalization
+ of Kerberos V domain-based principal names. This is because the
+ Kerberos V core protocol internationalization project is incomplete.
+
+ However, clearly the best way to interoperate when using Kerberos V
+ domain-based principal names is to use ACE-encoded internationalized
+ domain names [RFC3490] for the hostname and domain name slots of a
+ Kerberos V domain-based principal name. Therefore Kerberos V GSS-API
+ mechanism implementations MUST do just that.
+
+
+
+
+
+Williams Standards Track [Page 2]
+
+RFC 5179 Kerberos Domain-Based Names May 2008
+
+
+4. Examples
+
+ o The domain-based name, of generic form,
+ "ldap@foo.example@ds1.foo.example" may map to a Kerberos V
+ principal name like: "ldap/ds1.foo.example/
+ foo.example@FOO.EXAMPLE"
+
+ o The domain-based name, of generic form,
+ "kadmin@foo.example@kdc1.foo.example" may map to a Kerberos V
+ principal name like: "kadmin/kdc1.foo.example/
+ foo.example@FOO.EXAMPLE"
+
+5. Security Considerations
+
+ See [RFC5178].
+
+ It is important for the security of protocols using the Kerberos V
+ GSS-API mechanism and domain-based names, that the realm of domain-
+ based principal names be derived from the hostname, rather than the
+ domain name slots of the input domain-based name string.
+
+6. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+ [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
+ "Internationalizing Domain Names in Applications (IDNA)",
+ RFC 3490, March 2003.
+
+ [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
+ Kerberos Network Authentication Service (V5)", RFC 4120,
+ July 2005.
+
+ [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
+ Version 5 Generic Security Service Application Program
+ Interface (GSS-API) Mechanism: Version 2", RFC 4121,
+ July 2005.
+
+ [RFC5178] Williams, N. and A. Melnikov, "Generic Security Service
+ Application Program Interface (GSS-API)
+ Internationalization and Domain-Based Service Names and
+ Name Type", RFC 5178, May 2008.
+
+
+
+
+
+Williams Standards Track [Page 3]
+
+RFC 5179 Kerberos Domain-Based Names May 2008
+
+
+Author's Address
+
+ Nicolas Williams
+ Sun Microsystems
+ 5300 Riata Trace Ct.
+ Austin, TX 78727
+ US
+
+ EMail: Nicolas.Williams@sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Standards Track [Page 4]
+
+RFC 5179 Kerberos Domain-Based Names May 2008
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2008).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+Williams Standards Track [Page 5]
+