Skip to main content

A GSS-API Mechanism for the Extensible Authentication Protocol
RFC 7055

Revision differences

Document history

Date Rev. By Action
2016-11-30
09 (System) Closed request for Last Call review by GENART with state 'Unknown'
2015-10-14
09 (System) Notify list changed from abfab-chairs@ietf.org, draft-ietf-abfab-gss-eap@ietf.org to (None)
2014-01-08
09 (System) IANA registries were updated to include RFC7055
2013-12-31
09 (System) RFC published
2013-12-20
09 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2013-11-01
09 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2013-10-16
09 (System) RFC Editor state changed to RFC-EDITOR from REF
2013-10-15
09 (System) RFC Editor state changed to REF from EDIT
2013-09-27
09 (System) RFC Editor state changed to EDIT from MISSREF
2012-09-13
09 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2012-09-13
09 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2012-09-12
09 (System) IANA Action state changed to In Progress from Waiting on Authors
2012-09-12
09 (System) IANA Action state changed to Waiting on Authors from In Progress
2012-09-12
09 (System) IANA Action state changed to In Progress from Waiting on Authors
2012-09-06
09 (System) IANA Action state changed to Waiting on Authors from In Progress
2012-08-29
09 Cindy Morgan State changed to RFC Ed Queue from Approved-announcement sent
2012-08-28
09 (System) IANA Action state changed to In Progress
2012-08-28
09 Amy Vezza State changed to Approved-announcement sent from Approved-announcement to be sent::Point Raised - writeup needed
2012-08-28
09 Amy Vezza IESG has approved the document
2012-08-28
09 Amy Vezza Closed "Approve" ballot
2012-08-28
09 Amy Vezza Ballot approval text was generated
2012-08-27
09 Stephen Farrell Ballot writeup was changed
2012-08-13
09 Sam Hartman New version available: draft-ietf-abfab-gss-eap-09.txt
2012-07-19
08 Samuel Weiler Request for Telechat review by SECDIR Completed: Ready with Issues. Reviewer: Jeffrey Hutzelman.
2012-07-19
08 Cindy Morgan State changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation
2012-07-19
08 Stephen Farrell Ballot writeup was changed
2012-07-19
08 Gonzalo Camarillo [Ballot Position Update] New position, No Objection, has been recorded for Gonzalo Camarillo
2012-07-19
08 Adrian Farrel [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel
2012-07-19
08 Benoît Claise [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise
2012-07-18
08 Pete Resnick [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick
2012-07-18
08 Ralph Droms [Ballot Position Update] New position, No Objection, has been recorded for Ralph Droms
2012-07-18
08 Barry Leiba
[Ballot comment]
Just one small thing about the IANA Considerations: The reference to "section 4.1 of RFC 4121" makes it clear, but it would …
[Ballot comment]
Just one small thing about the IANA Considerations: The reference to "section 4.1 of RFC 4121" makes it clear, but it would be useful if one detail of the registry in 7.2 were specified here... the "ID" field is two octets, specified in hex in big-endian order.  Having that bit here will make it easier for IANA to see that IDs have been specified correctly, without their having to go look in RFC 4121.
2012-07-18
08 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2012-07-18
08 Sean Turner
[Ballot comment]
Only nits:

1) abstract: expand GS2.

2) s1: First sentence reads a little odd: The architecture describes an architecture.  Maybe the following is …
[Ballot comment]
Only nits:

1) abstract: expand GS2.

2) s1: First sentence reads a little odd: The architecture describes an architecture.  Maybe the following is a little better:

OLD:

The ABFAB architecture [I-D.ietf-abfab-arch] describes an
architecture for providing federated access management to


NEW:

ABFAB [I-D.ietf-abfab-arch] describes an
architecture for providing federated access management to

3) s1: Maybe r/backend authentication server/backend authentication, authorization, and accounting (AAA) server
that way AAA is expanded and introduced.

4) s3.1: r/mechanism.The/mechanism. The

5) s3.4: r/name.All/name. All

6) s5: r/and body must be present/and body MUST be present

7) s5.1: r/[RFC3961]is/[RFC3961] is

8) s5.5.1 & s5.5.2 : r/required/REQUIRED

9) s6: r/l bits of its input/L bits of its input  - ought to match the notation later which is uppercase L

10) s10.2: There are some outdated references:

== Outdated reference: A later version (-03) exists of
  draft-ietf-abfab-arch-02

== Outdated reference: draft-ietf-krb-wg-gss-cb-hash-agility has been
  published as RFC 6542

== Outdated reference: A later version (-06) exists of
  draft-ietf-radext-radius-extensions-05

== Outdated reference: draft-ietf-radext-radsec has been published as RFC
  6614
2012-07-18
08 Sean Turner [Ballot Position Update] New position, No Objection, has been recorded for Sean Turner
2012-07-18
08 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant
2012-07-17
08 Russ Housley [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley
2012-07-17
08 Robert Sparks [Ballot Position Update] New position, No Objection, has been recorded for Robert Sparks
2012-07-17
08 Wesley Eddy [Ballot Position Update] New position, No Objection, has been recorded for Wesley Eddy
2012-07-16
08 Martin Stiemerling [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling
2012-07-16
08 Brian Haberman [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman
2012-07-16
08 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded for Ronald Bonica
2012-07-13
08 Samuel Weiler Request for Telechat review by SECDIR is assigned to Jeffrey Hutzelman
2012-07-13
08 Samuel Weiler Request for Telechat review by SECDIR is assigned to Jeffrey Hutzelman
2012-07-13
08 Samuel Weiler Assignment of request for Last Call review by SECDIR to Sam Hartman was rejected
2012-07-10
08 Stephen Farrell Placed on agenda for telechat - 2012-07-19
2012-07-10
08 Stephen Farrell State changed to IESG Evaluation from Waiting for AD Go-Ahead
2012-07-10
08 Stephen Farrell Ballot has been issued
2012-07-10
08 Stephen Farrell [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell
2012-07-10
08 Stephen Farrell Created "Approve" ballot
2012-07-10
08 Stephen Farrell Ballot writeup was changed
2012-07-10
08 Stephen Farrell Ballot writeup was changed
2012-07-10
08 (System) State changed to Waiting for AD Go-Ahead from In Last Call
2012-07-09
08 Pearl Liang
IANA has reviewed draft-ietf-abfab-gss-eap-08 and has the following
comments:

IANA understands that, upon approval of this document, there are
seven IANA actions which must be …
IANA has reviewed draft-ietf-abfab-gss-eap-08 and has the following
comments:

IANA understands that, upon approval of this document, there are
seven IANA actions which must be completed.

First, in the Network Management Parameters registry located at:

http://www.iana.org/assignments/smi-numbers

a new subregistry will be created called: "Object Identifiers for Application
Bridging for federated Access".  The registration policy for the new
subregistry is IETF Review or IESG approval as defined by RFC 5226
Early allocation in this subregistry is permitted.  The reference for
the root of this OID delegation will be updated to point to the newly
created registry.

There are initial registrations in this new subregistry as follows:

Prefix: iso.org.dod.internet.security.mechanisms.abfab (1.3.6.1.5.5.15)

Decimal  Name          Description                          References
-------  ----          ------------------------------------  ----------
      0  Reserved      Reserved
      1  mechanisms    A sub-arc containing ABFAB mechanisms
      2  nametypes    A sub-arc containing ABFAB GSS-API Name Types

Prefix: iso.org.dod.internet.security.mechanisms.abfab.mechanisms
        (1.3.6.1.5.5.15.1)

Decimal  Name          Description                          References
-------  ----          ------------------------------------  ----------
      0  Reserved      Reserved
      1  gss-eap-v1    The GSS-EAP mechanism              [ RFC-to-be ]


Prefix: iso.org.dod.internet.security.mechanisms.abfab.nametypes
        (1.3.6.1.5.5.15.2)

Decimal  Name          Description                          References
-------  ----          ------------------------------------  ----------
      0  Reserved      Reserved
      1  GSS_EAP_NT_EAP_NAME                              [ RFC-to-be ]

Second, a new, top-level registry will be created and linked from the IANA
matrix page located at:

http://www.iana.org/protocols/

the new registry will be called the "Kerberos V GSS-API Mechanism Parameters"
registry.  This registry will be separate from the existing "Kerberos
Parameters" registry.

In the new registry created in this task, a new sub-registry called "Kerberos
GSS-API Token Type Identifiers" is created.  The reference for the registry will
be RFC 4121.  The allocation procedure for the new subregistry will be expert
review as defined in RFC 5226.

There are initial registrations in this new subregistry as follows:

+-------+---------------------------------+-----------------------+
| ID    | Description                    | Reference            |
+-------+---------------------------------+-----------------------+
| 01 00 | KRB_AP_REQ                      | RFC 4121 sect 4.1    |
|      |                                |                      |
| 02 00 | KRB_AP_REP                      | RFC 4121 sect 4.1    |
|      |                                |                      |
| 03 00 | KRB_ERROR                      | RFC 4121 sect 4.1    |
|      |                                |                      |
| 04 04 | MIC tokens                      | RFC 4121 sect 4.2.6.1 |
|      |                                |                      |
| 05 04 | wrap tokens                    | RFC 4121 sect 4.2.6.2 |
|      |                                |                      |
| 06 01 | GSS-EAP initiator context token | Section 5            |
|      |                                |                      |
| 06 02 | GSS EAP acceptor context token  | Section 5            |
+-------+---------------------------------+-----------------------+

In the last two registrations, the reference will include [ RFC-to-be ].


Third, a new, top-level registry will be created and linked from
the IANA matrix page located at:

http://www.iana.org/protocols/

the new registry will be called the "The Extensible Authentication Protocol
Mechanism for the Generic Security Services Application Programming Interface
(GSS-EAP) Parameters".  In any short form of that name, including any URI for
this registry, the string GSS will come before the string EAP.

In this new registry a new subregistry called the "GSS EAP Subtoken Types"
subregistry will be created.  The allocation procedure for the new subregistry
will be expert review as defined in RFC 5226.

There are initial registrations in this new subregistry as follows:

+------------+--------------------------+---------------+
| Type      | Description              | Reference    |
+------------+--------------------------+---------------+
| 0x00000001 | Error                    | Section 5.3  |
|                                      |              |
| 0x0000000B | Vendor                  | Section 5.4.1 |
|            |                          |              |
| 0x00000002 | Acceptor name request    | Section 5.4.2 |
|            |                          |              |
| 0x00000003 | Acceptor name response  | Section 5.4.3 |
|            |                          |              |
| 0x00000005 | EAP request              | Section 5.5.1 |
|            |                          |              |
| 0x00000004 | EAP response            | Section 5.5.2 |
|            |                          |              |
| 0x0000000C | Flags                    | Section 5.6.1 |
|            |                          |              |
| 0x00000006 | GSS-API channel bindings | Section 5.6.2 |
|            |                          |              |
| 0x0000000D | Initiator MIC            | Section 5.6.3 |
|            |                          |              |
| 0x0000000E | Acceptor MIC            | Section 5.6.3 |
+------------+--------------------------+---------------+

In all of these registrations, the reference will include [ RFC-to-be ].

Fourth, in the RADIUS attribute type value subregistry of the RADIUS Types
registry located at:

http://www.iana.org/assignments/radius-types/radius-types.xml

four new RADIUS attribute types will be added as follows:

+--------------------------------+-----------+----------------------+
| Name                          | Attribute | Description          |
+--------------------------------+-----------+----------------------+
| GSS-Acceptor-Service-Name      | TBD1      | user-or-service      |
|                                |          | portion of name      |
|                                |          |                      |
| GSS-Acceptor-Host-Name        | TBD2      | host portion of name |
|                                |          |                      |
| GSS-Acceptor-Service-specifics | TBD3      | service-specifics    |
|                                |          | portion of name      |
|                                |          |                      |
| GSS-Acceptor-Realm-Name        | TBD4      | Realm portion of    |
|                                |          | name                |
+--------------------------------+-----------+----------------------+

In each of the four registrations above, the reference will be [ RFC-to-be ].

Fifth, in the SASL Mechanisms registry located at:

http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xml

two new SASL mechanisms will be registered as follows:

Mechanism: EAP-AES128
Usage: Common
Reference: [ RFC-to-be ]
Owner: IESG

Mechanism: EAP-AES128-PLUS
Usage: Common
Reference: [ RFC-to-be ]
Owner: IESG

Sixth, in the new GSS EAP registry created in step three of these IANA
actions, a new subregistry will be created called "Error Codes."

The error codes in this registry are unsigned 32-bit numbers. 

Values less than or equal to 127 are assigned by standards action. 
Values 128 through 255 are assigned with the specification required assignment
policy. 
Values greater than 255 are reserved.

There are initial registrations in this new subregistry:

+-------+----------------------------------------------------+
| Value | Description                                        |
+-------+----------------------------------------------------+
| 0    | Reserved                                          |
|      |                                                    |
| 1    | Buffer is incorrect size                          |
|      |                                                    |
| 2    | Incorrect mechanism OID                            |
|      |                                                    |
| 3    | Token is corrupted                                |
|      |                                                    |
| 4    | Token is truncated                                |
|      |                                                    |
| 5    | Packet received by direction that sent it          |
|      |                                                    |
| 6    | Incorrect token type identifier                    |
|      |                                                    |
| 7    | Unhandled critical subtoken received              |
|      |                                                    |
| 8    | Missing required subtoken                          |
|      |                                                    |
| 9    | Duplicate subtoken type                            |
|      |                                                    |
| 10    | Received unexpected subtoken for current state xxx |
|      |                                                    |
| 11    | EAP did not produce a key                          |
|      |                                                    |
| 12    | EAP key too short                                  |
|      |                                                    |
| 13    | Authentication rejected                            |
|      |                                                    |
| 14    | AAA returned an unexpected message type            |
|      |                                                    |
| 15    | AAA response did not include EAP request          |
|      |                                                    |
| 16    | Generic AAA failure                                |
+-------+----------------------------------------------------+

In each of these cases the reference for the initial registrations will
be [ RFC-to-be ].

Seventh, in the new GSS EAP registry created in step three of these IANA
actions, a new subregistry will be created called "Context Flags."

The registration policy for the new subregistry is IETF review or IESG approval.

There are 32 flag bits available for registration represented as hexadecimal
numbers from the most-significant bit 0x80000000 to the least significant bit 0x1.

There is an initial registration in the new subregistry as follows:

+------+-------------------+---------------+
| Flag | Name              | Reference    |
+------+-------------------+---------------+
| 0x2  | GSS_C_MUTUAL_FLAG | Section 5.6.1 |
+------+-------------------+---------------+

The reference for the initial registration will be [ RFC-to-be ].

Note:  The actions requested in this document will not be completed
until the document has been approved for publication as an RFC.
This message is only to confirm what actions will be performed.
2012-06-28
08 Jean Mahoney Request for Last Call review by GENART is assigned to Wassim Haddad
2012-06-28
08 Jean Mahoney Request for Last Call review by GENART is assigned to Wassim Haddad
2012-06-28
08 Samuel Weiler Request for Last Call review by SECDIR is assigned to Sam Hartman
2012-06-28
08 Samuel Weiler Request for Last Call review by SECDIR is assigned to Sam Hartman
2012-06-26
08 Amy Vezza
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (A GSS-API Mechanism for the Extensible …
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (A GSS-API Mechanism for the Extensible Authentication Protocol) to Proposed Standard


The IESG has received a request from the Application Bridging for
Federated Access Beyond web WG (abfab) to consider the following
document:
- 'A GSS-API Mechanism for the Extensible Authentication Protocol'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2012-07-10. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document defines protocols, procedures, and conventions to be
  employed by peers implementing the Generic Security Service
  Application Program Interface (GSS-API) when using the EAP mechanism.
  Through the GS2 family of mechanisms, these protocols also define how
  Simple Authentication and Security Layer (SASL, RFC 4422)
  applications use the Extensible Authentication Protocol.

The normative reference to the IANA registry [GSS-IANA] might be
considered a downref.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-abfab-gss-eap/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-abfab-gss-eap/ballot/


No IPR declarations have been submitted directly on this I-D.


2012-06-26
08 Amy Vezza State changed to In Last Call from Last Call Requested
2012-06-26
08 Stephen Farrell Last call was requested
2012-06-26
08 Stephen Farrell Ballot approval text was generated
2012-06-26
08 Stephen Farrell Ballot writeup was generated
2012-06-26
08 Stephen Farrell State changed to Last Call Requested from AD Evaluation::AD Followup
2012-06-26
08 Stephen Farrell Last call announcement was changed
2012-06-26
08 Stephen Farrell Last call announcement was generated
2012-06-26
08 Stephen Farrell Last call announcement was generated
2012-06-26
08 (System) Sub state has been changed to AD Followup from Revised ID Needed
2012-06-26
08 Sam Hartman New version available: draft-ietf-abfab-gss-eap-08.txt
2012-06-20
07 Stephen Farrell State changed to AD Evaluation::Revised ID Needed from AD Evaluation
2012-06-20
07 Stephen Farrell State changed to AD Evaluation from Publication Requested
2012-06-17
07 Stephen Farrell Intended Status changed to Proposed Standard
2012-06-17
07 Stephen Farrell IESG process started in state Publication Requested
2012-06-17
07 (System) Earlier history may be found in the Comment Log for draft-howlett-eap-gss
2012-06-17
07 Leif Johansson IETF state changed to Submitted to IESG for Publication from WG Document
2012-06-16
07 Leif Johansson Changed protocol writeup
2012-06-16
07 Leif Johansson Stephen, Please use the attached PROTO writeup.
2012-06-16
07 Leif Johansson Changed shepherd to Leif Johansson
2012-05-24
07 Sam Hartman New version available: draft-ietf-abfab-gss-eap-07.txt
2012-04-09
06 Sam Hartman New version available: draft-ietf-abfab-gss-eap-06.txt
2012-03-09
05 Sam Hartman New version available: draft-ietf-abfab-gss-eap-05.txt
2011-10-30
04 (System) New version available: draft-ietf-abfab-gss-eap-04.txt
2011-10-19
03 (System) New version available: draft-ietf-abfab-gss-eap-03.txt
2011-07-11
02 (System) New version available: draft-ietf-abfab-gss-eap-02.txt
2011-02-17
01 (System) New version available: draft-ietf-abfab-gss-eap-01.txt
2010-10-13
00 (System) New version available: draft-ietf-abfab-gss-eap-00.txt