imapext-2007: docs/rfc/rfc4752.txt annotate

imapext-2007

annotate docs/rfc/rfc4752.txt @ 0:ada5e610ab86

imap-2007e

author	yuuji@gentei.org
date	Mon, 14 Sep 2009 15:17:45 +0900
parents
children

rev	line source
yuuji@0	1
yuuji@0	2
yuuji@0	3
yuuji@0	4
yuuji@0	5
yuuji@0	6
yuuji@0	7 Network Working Group A. Melnikov, Ed.
yuuji@0	8 Request for Comments: 4752 Isode
yuuji@0	9 Obsoletes: 2222 November 2006
yuuji@0	10 Category: Standards Track
yuuji@0	11
yuuji@0	12
yuuji@0	13 The Kerberos V5 ("GSSAPI")
yuuji@0	14 Simple Authentication and Security Layer (SASL) Mechanism
yuuji@0	15
yuuji@0	16 Status of This Memo
yuuji@0	17
yuuji@0	18 This document specifies an Internet standards track protocol for the
yuuji@0	19 Internet community, and requests discussion and suggestions for
yuuji@0	20 improvements. Please refer to the current edition of the "Internet
yuuji@0	21 Official Protocol Standards" (STD 1) for the standardization state
yuuji@0	22 and status of this protocol. Distribution of this memo is unlimited.
yuuji@0	23
yuuji@0	24 Copyright Notice
yuuji@0	25
yuuji@0	26 Copyright (C) The IETF Trust (2006).
yuuji@0	27
yuuji@0	28 Abstract
yuuji@0	29
yuuji@0	30 The Simple Authentication and Security Layer (SASL) is a framework
yuuji@0	31 for adding authentication support to connection-based protocols.
yuuji@0	32 This document describes the method for using the Generic Security
yuuji@0	33 Service Application Program Interface (GSS-API) Kerberos V5 in the
yuuji@0	34 SASL.
yuuji@0	35
yuuji@0	36 This document replaces Section 7.2 of RFC 2222, the definition of the
yuuji@0	37 "GSSAPI" SASL mechanism. This document, together with RFC 4422,
yuuji@0	38 obsoletes RFC 2222.
yuuji@0	39
yuuji@0	40
yuuji@0	41
yuuji@0	42
yuuji@0	43
yuuji@0	44
yuuji@0	45
yuuji@0	46
yuuji@0	47
yuuji@0	48
yuuji@0	49
yuuji@0	50
yuuji@0	51
yuuji@0	52
yuuji@0	53
yuuji@0	54
yuuji@0	55
yuuji@0	56
yuuji@0	57
yuuji@0	58 Melnikov Standards Track [Page 1]
yuuji@0	59
yuuji@0	60 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	61
yuuji@0	62
yuuji@0	63 Table of Contents
yuuji@0	64
yuuji@0	65 1. Introduction ....................................................2
yuuji@0	66 1.1. Relationship to Other Documents ............................2
yuuji@0	67 2. Conventions Used in This Document ...............................2
yuuji@0	68 3. Kerberos V5 GSS-API Mechanism ...................................2
yuuji@0	69 3.1. Client Side of Authentication Protocol Exchange ............3
yuuji@0	70 3.2. Server Side of Authentication Protocol Exchange ............4
yuuji@0	71 3.3. Security Layer .............................................6
yuuji@0	72 4. IANA Considerations .............................................7
yuuji@0	73 5. Security Considerations .........................................7
yuuji@0	74 6. Acknowledgements ................................................8
yuuji@0	75 7. Changes since RFC 2222 ..........................................8
yuuji@0	76 8. References ......................................................8
yuuji@0	77 8.1. Normative References .......................................8
yuuji@0	78 8.2. Informative References .....................................9
yuuji@0	79
yuuji@0	80 1. Introduction
yuuji@0	81
yuuji@0	82 This specification documents currently deployed Simple Authentication
yuuji@0	83 and Security Layer (SASL [SASL]) mechanism supporting the Kerberos V5
yuuji@0	84 [KERBEROS] Generic Security Service Application Program Interface
yuuji@0	85 ([GSS-API]) mechanism [RFC4121]. The authentication sequence is
yuuji@0	86 described in Section 3. Note that the described authentication
yuuji@0	87 sequence has known limitations, in particular, it lacks channel
yuuji@0	88 bindings and the number of round-trips required to complete
yuuji@0	89 authentication exchange is not minimal. SASL WG is working on a
yuuji@0	90 separate document that should address these limitations.
yuuji@0	91
yuuji@0	92 1.1. Relationship to Other Documents
yuuji@0	93
yuuji@0	94 This document, together with RFC 4422, obsoletes RFC 2222 in its
yuuji@0	95 entirety. This document replaces Section 7.2 of RFC 2222. The
yuuji@0	96 remainder is obsoleted as detailed in Section 1.2 of RFC 4422.
yuuji@0	97
yuuji@0	98 2. Conventions Used in This Document
yuuji@0	99
yuuji@0	100 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
yuuji@0	101 in this document are to be interpreted as defined in "Key words for
yuuji@0	102 use in RFCs to Indicate Requirement Levels" [KEYWORDS].
yuuji@0	103
yuuji@0	104 3. Kerberos V5 GSS-API Mechanism
yuuji@0	105
yuuji@0	106 The SASL mechanism name for the Kerberos V5 GSS-API mechanism
yuuji@0	107 [RFC4121] is "GSSAPI". Though known as the SASL GSSAPI mechanism,
yuuji@0	108 the mechanism is specifically tied to Kerberos V5 and GSS-API's
yuuji@0	109 Kerberos V5 mechanism.
yuuji@0	110
yuuji@0	111
yuuji@0	112
yuuji@0	113
yuuji@0	114 Melnikov Standards Track [Page 2]
yuuji@0	115
yuuji@0	116 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	117
yuuji@0	118
yuuji@0	119 The GSSAPI SASL mechanism is a "client goes first" SASL mechanism;
yuuji@0	120 i.e., it starts with the client sending a "response" created as
yuuji@0	121 described in the following section.
yuuji@0	122
yuuji@0	123 The implementation MAY set any GSS-API flags or arguments not
yuuji@0	124 mentioned in this specification as is necessary for the
yuuji@0	125 implementation to enforce its security policy.
yuuji@0	126
yuuji@0	127 Note that major status codes returned by GSS_Init_sec_context() or
yuuji@0	128 GSS_Accept_sec_context() other than GSS_S_COMPLETE or
yuuji@0	129 GSS_S_CONTINUE_NEEDED cause authentication failure. Major status
yuuji@0	130 codes returned by GSS_Unwrap() other than GSS_S_COMPLETE (without any
yuuji@0	131 additional supplementary status codes) cause authentication and/or
yuuji@0	132 security layer failure.
yuuji@0	133
yuuji@0	134 3.1. Client Side of Authentication Protocol Exchange
yuuji@0	135
yuuji@0	136 The client calls GSS_Init_sec_context, passing in
yuuji@0	137 input_context_handle of 0 (initially), mech_type of the Kerberos V5
yuuji@0	138 GSS-API mechanism [KRB5GSS], chan_binding of NULL, and targ_name
yuuji@0	139 equal to output_name from GSS_Import_Name called with input_name_type
yuuji@0	140 of GSS_C_NT_HOSTBASED_SERVICE (*) and input_name_string of
yuuji@0	141 "service@hostname" where "service" is the service name specified in
yuuji@0	142 the protocol's profile, and "hostname" is the fully qualified host
yuuji@0	143 name of the server. When calling the GSS_Init_sec_context, the
yuuji@0	144 client MUST pass the integ_req_flag of TRUE (**). If the client will
yuuji@0	145 be requesting a security layer, it MUST also supply to the
yuuji@0	146 GSS_Init_sec_context a mutual_req_flag of TRUE, and a
yuuji@0	147 sequence_req_flag of TRUE. If the client will be requesting a
yuuji@0	148 security layer providing confidentiality protection, it MUST also
yuuji@0	149 supply to the GSS_Init_sec_context a conf_req_flag of TRUE. The
yuuji@0	150 client then responds with the resulting output_token. If
yuuji@0	151 GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED, then the client
yuuji@0	152 should expect the server to issue a token in a subsequent challenge.
yuuji@0	153 The client must pass the token to another call to
yuuji@0	154 GSS_Init_sec_context, repeating the actions in this paragraph.
yuuji@0	155
yuuji@0	156 (*) Clients MAY use name types other than GSS_C_NT_HOSTBASED_SERVICE
yuuji@0	157 to import servers' acceptor names, but only when they have a priori
yuuji@0	158 knowledge that the servers support alternate name types. Otherwise
yuuji@0	159 clients MUST use GSS_C_NT_HOSTBASED_SERVICE for importing acceptor
yuuji@0	160 names.
yuuji@0	161
yuuji@0	162 (**) Note that RFC 2222 [RFC2222] implementations will not work with
yuuji@0	163 GSS-API implementations that require integ_req_flag to be true. No
yuuji@0	164 implementations of RFC 1964 [KRB5GSS] or RFC 4121 [RFC4121] that
yuuji@0	165 require integ_req_flag to be true are believed to exist and it is
yuuji@0	166 expected that any future update to [RFC4121] will require that
yuuji@0	167
yuuji@0	168
yuuji@0	169
yuuji@0	170 Melnikov Standards Track [Page 3]
yuuji@0	171
yuuji@0	172 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	173
yuuji@0	174
yuuji@0	175 integrity be available even in not explicitly requested by the
yuuji@0	176 application.
yuuji@0	177
yuuji@0	178 When GSS_Init_sec_context returns GSS_S_COMPLETE, the client examines
yuuji@0	179 the context to ensure that it provides a level of protection
yuuji@0	180 permitted by the client's security policy. In particular, if the
yuuji@0	181 integ_avail flag is not set in the context, then no security layer
yuuji@0	182 can be offered or accepted.
yuuji@0	183
yuuji@0	184 If the conf_avail flag is not set in the context, then no security
yuuji@0	185 layer with confidentiality can be offered or accepted. If the
yuuji@0	186 context is acceptable, the client takes the following actions: If the
yuuji@0	187 last call to GSS_Init_sec_context returned an output_token, then the
yuuji@0	188 client responds with the output_token, otherwise the client responds
yuuji@0	189 with no data. The client should then expect the server to issue a
yuuji@0	190 token in a subsequent challenge. The client passes this token to
yuuji@0	191 GSS_Unwrap and interprets the first octet of resulting cleartext as a
yuuji@0	192 bit-mask specifying the security layers supported by the server and
yuuji@0	193 the second through fourth octets as the maximum size output_message
yuuji@0	194 the server is able to receive (in network byte order). If the
yuuji@0	195 resulting cleartext is not 4 octets long, the client fails the
yuuji@0	196 negotiation. The client verifies that the server maximum buffer is 0
yuuji@0	197 if the server does not advertise support for any security layer.
yuuji@0	198
yuuji@0	199 The client then constructs data, with the first octet containing the
yuuji@0	200 bit-mask specifying the selected security layer, the second through
yuuji@0	201 fourth octets containing in network byte order the maximum size
yuuji@0	202 output_message the client is able to receive (which MUST be 0 if the
yuuji@0	203 client does not support any security layer), and the remaining octets
yuuji@0	204 containing the UTF-8 [UTF8] encoded authorization identity.
yuuji@0	205 (Implementation note: The authorization identity is not terminated
yuuji@0	206 with the zero-valued (%x00) octet (e.g., the UTF-8 encoding of the
yuuji@0	207 NUL (U+0000) character)). The client passes the data to GSS_Wrap
yuuji@0	208 with conf_flag set to FALSE and responds with the generated
yuuji@0	209 output_message. The client can then consider the server
yuuji@0	210 authenticated.
yuuji@0	211
yuuji@0	212 3.2. Server Side of Authentication Protocol Exchange
yuuji@0	213
yuuji@0	214 A server MUST NOT advertise support for the "GSSAPI" SASL mechanism
yuuji@0	215 described in this document unless it has acceptor credential for the
yuuji@0	216 Kerberos V GSS-API mechanism [KRB5GSS].
yuuji@0	217
yuuji@0	218 The server passes the initial client response to
yuuji@0	219 GSS_Accept_sec_context as input_token, setting input_context_handle
yuuji@0	220 to 0 (initially), chan_binding of NULL, and a suitable
yuuji@0	221 acceptor_cred_handle (see below). If GSS_Accept_sec_context returns
yuuji@0	222 GSS_S_CONTINUE_NEEDED, the server returns the generated output_token
yuuji@0	223
yuuji@0	224
yuuji@0	225
yuuji@0	226 Melnikov Standards Track [Page 4]
yuuji@0	227
yuuji@0	228 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	229
yuuji@0	230
yuuji@0	231 to the client in challenge and passes the resulting response to
yuuji@0	232 another call to GSS_Accept_sec_context, repeating the actions in this
yuuji@0	233 paragraph.
yuuji@0	234
yuuji@0	235 Servers SHOULD use a credential obtained by calling GSS_Acquire_cred
yuuji@0	236 or GSS_Add_cred for the GSS_C_NO_NAME desired_name and the Object
yuuji@0	237 Identifier (OID) of the Kerberos V5 GSS-API mechanism [KRB5GSS](*).
yuuji@0	238 Servers MAY use GSS_C_NO_CREDENTIAL as an acceptor credential handle.
yuuji@0	239 Servers MAY use a credential obtained by calling GSS_Acquire_cred or
yuuji@0	240 GSS_Add_cred for the server's principal name(s) (**) and the Kerberos
yuuji@0	241 V5 GSS-API mechanism [KRB5GSS].
yuuji@0	242
yuuji@0	243 (*) Unlike GSS_Add_cred the GSS_Acquire_cred uses an OID set of GSS-
yuuji@0	244 API mechanism as an input parameter. The OID set can be created by
yuuji@0	245 using GSS_Create_empty_OID_set and GSS_Add_OID_set_member. It can be
yuuji@0	246 freed by calling the GSS_Release_oid_set.
yuuji@0	247
yuuji@0	248
yuuji@0	249 (**) Use of server's principal names having
yuuji@0	250 GSS_C_NT_HOSTBASED_SERVICE name type and "service@hostname" format,
yuuji@0	251 where "service" is the service name specified in the protocol's
yuuji@0	252 profile, and "hostname" is the fully qualified host name of the
yuuji@0	253 server, is RECOMMENDED. The server name is generated by calling
yuuji@0	254 GSS_Import_name with input_name_type of GSS_C_NT_HOSTBASED_SERVICE
yuuji@0	255 and input_name_string of "service@hostname".
yuuji@0	256
yuuji@0	257 Upon successful establishment of the security context (i.e.,
yuuji@0	258 GSS_Accept_sec_context returns GSS_S_COMPLETE), the server SHOULD
yuuji@0	259 verify that the negotiated GSS-API mechanism is indeed Kerberos V5
yuuji@0	260 [KRB5GSS]. This is done by examining the value of the mech_type
yuuji@0	261 parameter returned from the GSS_Accept_sec_context call. If the
yuuji@0	262 value differs, SASL authentication MUST be aborted.
yuuji@0	263
yuuji@0	264 Upon successful establishment of the security context and if the
yuuji@0	265 server used GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL to create acceptor
yuuji@0	266 credential handle, the server SHOULD also check using the
yuuji@0	267 GSS_Inquire_context that the target_name used by the client matches
yuuji@0	268 either
yuuji@0	269
yuuji@0	270 - the GSS_C_NT_HOSTBASED_SERVICE "service@hostname" name syntax,
yuuji@0	271 where "service" is the service name specified in the application
yuuji@0	272 protocol's profile,
yuuji@0	273
yuuji@0	274 or
yuuji@0	275
yuuji@0	276 - the GSS_KRB5_NT_PRINCIPAL_NAME [KRB5GSS] name syntax for a two-
yuuji@0	277 component principal where the first component matches the service
yuuji@0	278 name specified in the application protocol's profile.
yuuji@0	279
yuuji@0	280
yuuji@0	281
yuuji@0	282 Melnikov Standards Track [Page 5]
yuuji@0	283
yuuji@0	284 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	285
yuuji@0	286
yuuji@0	287 When GSS_Accept_sec_context returns GSS_S_COMPLETE, the server
yuuji@0	288 examines the context to ensure that it provides a level of protection
yuuji@0	289 permitted by the server's security policy. In particular, if the
yuuji@0	290 integ_avail flag is not set in the context, then no security layer
yuuji@0	291 can be offered or accepted. If the conf_avail flag is not set in the
yuuji@0	292 context, then no security layer with confidentiality can be offered
yuuji@0	293 or accepted.
yuuji@0	294
yuuji@0	295 If the context is acceptable, the server takes the following actions:
yuuji@0	296 If the last call to GSS_Accept_sec_context returned an output_token,
yuuji@0	297 the server returns it to the client in a challenge and expects a
yuuji@0	298 reply from the client with no data. Whether or not an output_token
yuuji@0	299 was returned (and after receipt of any response from the client to
yuuji@0	300 such an output_token), the server then constructs 4 octets of data,
yuuji@0	301 with the first octet containing a bit-mask specifying the security
yuuji@0	302 layers supported by the server and the second through fourth octets
yuuji@0	303 containing in network byte order the maximum size output_token the
yuuji@0	304 server is able to receive (which MUST be 0 if the server does not
yuuji@0	305 support any security layer). The server must then pass the plaintext
yuuji@0	306 to GSS_Wrap with conf_flag set to FALSE and issue the generated
yuuji@0	307 output_message to the client in a challenge.
yuuji@0	308
yuuji@0	309 The server must then pass the resulting response to GSS_Unwrap and
yuuji@0	310 interpret the first octet of resulting cleartext as the bit-mask for
yuuji@0	311 the selected security layer, the second through fourth octets as the
yuuji@0	312 maximum size output_message the client is able to receive (in network
yuuji@0	313 byte order), and the remaining octets as the authorization identity.
yuuji@0	314 The server verifies that the client has selected a security layer
yuuji@0	315 that was offered and that the client maximum buffer is 0 if no
yuuji@0	316 security layer was chosen. The server must verify that the src_name
yuuji@0	317 is authorized to act as the authorization identity. After these
yuuji@0	318 verifications, the authentication process is complete. The server is
yuuji@0	319 not expected to return any additional data with the success
yuuji@0	320 indicator.
yuuji@0	321
yuuji@0	322 3.3. Security Layer
yuuji@0	323
yuuji@0	324 The security layers and their corresponding bit-masks are as follows:
yuuji@0	325
yuuji@0	326 1 No security layer
yuuji@0	327 2 Integrity protection.
yuuji@0	328 Sender calls GSS_Wrap with conf_flag set to FALSE
yuuji@0	329 4 Confidentiality protection.
yuuji@0	330 Sender calls GSS_Wrap with conf_flag set to TRUE
yuuji@0	331
yuuji@0	332 Other bit-masks may be defined in the future; bits that are not
yuuji@0	333 understood must be negotiated off.
yuuji@0	334
yuuji@0	335
yuuji@0	336
yuuji@0	337
yuuji@0	338 Melnikov Standards Track [Page 6]
yuuji@0	339
yuuji@0	340 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	341
yuuji@0	342
yuuji@0	343 When decoding any received data with GSS_Unwrap, the major_status
yuuji@0	344 other than the GSS_S_COMPLETE MUST be treated as a fatal error.
yuuji@0	345
yuuji@0	346 Note that SASL negotiates the maximum size of the output_message to
yuuji@0	347 send. Implementations can use the GSS_Wrap_size_limit call to
yuuji@0	348 determine the corresponding maximum size input_message.
yuuji@0	349
yuuji@0	350 4. IANA Considerations
yuuji@0	351
yuuji@0	352 IANA modified the existing registration for "GSSAPI" as follows:
yuuji@0	353
yuuji@0	354 Family of SASL mechanisms: NO
yuuji@0	355
yuuji@0	356 SASL mechanism name: GSSAPI
yuuji@0	357
yuuji@0	358 Security considerations: See Section 5 of RFC 4752
yuuji@0	359
yuuji@0	360 Published specification: RFC 4752
yuuji@0	361
yuuji@0	362 Person & email address to contact for further information:
yuuji@0	363 Alexey Melnikov <Alexey.Melnikov@isode.com>
yuuji@0	364
yuuji@0	365 Intended usage: COMMON
yuuji@0	366
yuuji@0	367 Owner/Change controller: iesg@ietf.org
yuuji@0	368
yuuji@0	369 Additional information: This mechanism is for the Kerberos V5
yuuji@0	370 mechanism of GSS-API.
yuuji@0	371
yuuji@0	372 5. Security Considerations
yuuji@0	373
yuuji@0	374 Security issues are discussed throughout this memo.
yuuji@0	375
yuuji@0	376 When constructing the input_name_string, the client SHOULD NOT
yuuji@0	377 canonicalize the server's fully qualified domain name using an
yuuji@0	378 insecure or untrusted directory service.
yuuji@0	379
yuuji@0	380 For compatibility with deployed software, this document requires that
yuuji@0	381 the chan_binding (channel bindings) parameter to GSS_Init_sec_context
yuuji@0	382 and GSS_Accept_sec_context be NULL, hence disallowing use of GSS-API
yuuji@0	383 support for channel bindings. GSS-API channel bindings in SASL is
yuuji@0	384 expected to be supported via a new GSS-API family of SASL mechanisms
yuuji@0	385 (to be introduced in a future document).
yuuji@0	386
yuuji@0	387 Additional security considerations are in the [SASL] and [GSS-API]
yuuji@0	388 specifications. Additional security considerations for the GSS-API
yuuji@0	389 mechanism can be found in [KRB5GSS] and [KERBEROS].
yuuji@0	390
yuuji@0	391
yuuji@0	392
yuuji@0	393
yuuji@0	394 Melnikov Standards Track [Page 7]
yuuji@0	395
yuuji@0	396 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	397
yuuji@0	398
yuuji@0	399 6. Acknowledgements
yuuji@0	400
yuuji@0	401 This document replaces Section 7.2 of RFC 2222 [RFC2222] by John G.
yuuji@0	402 Myers. He also contributed significantly to this revision.
yuuji@0	403
yuuji@0	404 Lawrence Greenfield converted text of this document to the XML
yuuji@0	405 format.
yuuji@0	406
yuuji@0	407 Contributions of many members of the SASL mailing list are gratefully
yuuji@0	408 acknowledged, in particular comments from Chris Newman, Nicolas
yuuji@0	409 Williams, Jeffrey Hutzelman, Sam Hartman, Mark Crispin, and Martin
yuuji@0	410 Rex.
yuuji@0	411
yuuji@0	412 7. Changes since RFC 2222
yuuji@0	413
yuuji@0	414 RFC 2078 [RFC2078] specifies the version of GSS-API used by RFC 2222
yuuji@0	415 [RFC2222], which provided the original version of this specification.
yuuji@0	416 That version of GSS-API did not provide the integ_integ_avail flag as
yuuji@0	417 an input to GSS_Init_sec_context. Instead, integrity was always
yuuji@0	418 requested. RFC 4422 [SASL] requires that when possible, the security
yuuji@0	419 layer negotiation be integrity protected. To meet this requirement
yuuji@0	420 and as part of moving from RFC 2078 [RFC2078] to RFC 2743 [GSS-API],
yuuji@0	421 this specification requires that clients request integrity from
yuuji@0	422 GSS_Init_sec_context so they can use GSS_Wrap to protect the security
yuuji@0	423 layer negotiation. This specification does not require that the
yuuji@0	424 mechanism offer the integrity security layer, simply that the
yuuji@0	425 security layer negotiation be wrapped.
yuuji@0	426
yuuji@0	427 8. References
yuuji@0	428
yuuji@0	429 8.1. Normative References
yuuji@0	430
yuuji@0	431 [GSS-API] Linn, J., "Generic Security Service Application Program
yuuji@0	432 Interface Version 2, Update 1", RFC 2743, January 2000.
yuuji@0	433
yuuji@0	434 [KERBEROS] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
yuuji@0	435 Kerberos Network Authentication Service (V5)", RFC 4120,
yuuji@0	436 July 2005.
yuuji@0	437
yuuji@0	438 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
yuuji@0	439 Requirement Levels", BCP 14, RFC 2119, March 1997.
yuuji@0	440
yuuji@0	441 [KRB5GSS] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
yuuji@0	442 1964, June 1996.
yuuji@0	443
yuuji@0	444
yuuji@0	445
yuuji@0	446
yuuji@0	447
yuuji@0	448
yuuji@0	449
yuuji@0	450 Melnikov Standards Track [Page 8]
yuuji@0	451
yuuji@0	452 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	453
yuuji@0	454
yuuji@0	455 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
yuuji@0	456 Version 5 Generic Security Service Application Program
yuuji@0	457 Interface (GSS-API) Mechanism: Version 2", RFC 4121, July
yuuji@0	458 2005.
yuuji@0	459
yuuji@0	460 [SASL] Melnikov, A. and K. Zeilenga, "Simple Authentication and
yuuji@0	461 Security Layer (SASL)", RFC 4422, June 2006.
yuuji@0	462
yuuji@0	463 [UTF8] Yergeau, F., "UTF-8, a transformation format of ISO
yuuji@0	464 10646", STD 63, RFC 3629, November 2003.
yuuji@0	465
yuuji@0	466 8.2. Informative References
yuuji@0	467
yuuji@0	468 [RFC2078] Linn, J., "Generic Security Service Application Program
yuuji@0	469 Interface, Version 2", RFC 2078, January 1997.
yuuji@0	470
yuuji@0	471 [RFC2222] Myers, J., "Simple Authentication and Security Layer
yuuji@0	472 (SASL)", RFC 2222, October 1997.
yuuji@0	473
yuuji@0	474 Editor's Address
yuuji@0	475
yuuji@0	476 Alexey Melnikov
yuuji@0	477 Isode Limited
yuuji@0	478 5 Castle Business Village
yuuji@0	479 36 Station Road
yuuji@0	480 Hampton, Middlesex TW12 2BX
yuuji@0	481 UK
yuuji@0	482
yuuji@0	483 EMail: Alexey.Melnikov@isode.com
yuuji@0	484 URI: http://www.melnikov.ca/
yuuji@0	485
yuuji@0	486
yuuji@0	487
yuuji@0	488
yuuji@0	489
yuuji@0	490
yuuji@0	491
yuuji@0	492
yuuji@0	493
yuuji@0	494
yuuji@0	495
yuuji@0	496
yuuji@0	497
yuuji@0	498
yuuji@0	499
yuuji@0	500
yuuji@0	501
yuuji@0	502
yuuji@0	503
yuuji@0	504
yuuji@0	505
yuuji@0	506 Melnikov Standards Track [Page 9]
yuuji@0	507
yuuji@0	508 RFC 4752 SASL GSSAPI Mechanism November 2006
yuuji@0	509
yuuji@0	510
yuuji@0	511 Full Copyright Statement
yuuji@0	512
yuuji@0	513 Copyright (C) The IETF Trust (2006).
yuuji@0	514
yuuji@0	515 This document is subject to the rights, licenses and restrictions
yuuji@0	516 contained in BCP 78, and except as set forth therein, the authors
yuuji@0	517 retain all their rights.
yuuji@0	518
yuuji@0	519 This document and the information contained herein are provided on an
yuuji@0	520 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
yuuji@0	521 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST,
yuuji@0	522 AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
yuuji@0	523 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
yuuji@0	524 THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
yuuji@0	525 IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
yuuji@0	526 PURPOSE.
yuuji@0	527
yuuji@0	528 Intellectual Property
yuuji@0	529
yuuji@0	530 The IETF takes no position regarding the validity or scope of any
yuuji@0	531 Intellectual Property Rights or other rights that might be claimed to
yuuji@0	532 pertain to the implementation or use of the technology described in
yuuji@0	533 this document or the extent to which any license under such rights
yuuji@0	534 might or might not be available; nor does it represent that it has
yuuji@0	535 made any independent effort to identify any such rights. Information
yuuji@0	536 on the procedures with respect to rights in RFC documents can be
yuuji@0	537 found in BCP 78 and BCP 79.
yuuji@0	538
yuuji@0	539 Copies of IPR disclosures made to the IETF Secretariat and any
yuuji@0	540 assurances of licenses to be made available, or the result of an
yuuji@0	541 attempt made to obtain a general license or permission for the use of
yuuji@0	542 such proprietary rights by implementers or users of this
yuuji@0	543 specification can be obtained from the IETF on-line IPR repository at
yuuji@0	544 http://www.ietf.org/ipr.
yuuji@0	545
yuuji@0	546 The IETF invites any interested party to bring to its attention any
yuuji@0	547 copyrights, patents or patent applications, or other proprietary
yuuji@0	548 rights that may cover technology that may be required to implement
yuuji@0	549 this standard. Please address the information to the IETF at
yuuji@0	550 ietf-ipr@ietf.org.
yuuji@0	551
yuuji@0	552 Acknowledgement
yuuji@0	553
yuuji@0	554 Funding for the RFC Editor function is currently provided by the
yuuji@0	555 Internet Society.
yuuji@0	556
yuuji@0	557
yuuji@0	558
yuuji@0	559
yuuji@0	560
yuuji@0	561
yuuji@0	562 Melnikov Standards Track [Page 10]
yuuji@0	563