RFC2222 日本語訳
2222 Simple Authentication and Security Layer (SASL). J. Myers. October 1997. (Format: TXT=35010 bytes) (Obsoleted by RFC4422, RFC4752) (Updated by RFC2444) (Status: PROPOSED STANDARD)
プログラムでの自動翻訳です。
英語原文
Network Working Group J. Myers Request for Comments: 2222 Netscape Communications Category: Standards Track October 1997
Network Working Group J. Myers Request for Comments: 2222 Netscape Communications Category: Standards Track October 1997
Simple Authentication and Security Layer (SASL)
Simple Authentication and Security Layer (SASL)
Status of this Memo
Status of this Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright Notice
Copyright (C) The Internet Society (1997). All Rights Reserved.
Copyright (C) The Internet Society (1997). All Rights Reserved.
Table of Contents
Table of Contents
1. Abstract .............................................. 2 2. Organization of this Document ......................... 2 2.1. How to Read This Document ............................. 2 2.2. Conventions Used in this Document ..................... 2 2.3. Examples .............................................. 3 3. Introduction and Overview ............................. 3 4. Profiling requirements ................................ 4 5. Specific issues ....................................... 5 5.1. Client sends data first ............................... 5 5.2. Server returns success with additional data ........... 5 5.3. Multiple authentications .............................. 5 6. Registration procedures ............................... 6 6.1. Comments on SASL mechanism registrations .............. 6 6.2. Location of Registered SASL Mechanism List ............ 6 6.3. Change Control ........................................ 7 6.4. Registration Template ................................. 7 7. Mechanism definitions ................................. 8 7.1. Kerberos version 4 mechanism .......................... 8 7.2. GSSAPI mechanism ...................................... 9 7.2.1 Client side of authentication protocol exchange ....... 9 7.2.2 Server side of authentication protocol exchange ....... 10 7.2.3 Security layer ........................................ 11 7.3. S/Key mechanism ....................................... 11 7.4. External mechanism .................................... 12 8. References ............................................ 13 9. Security Considerations ............................... 13 10. Author's Address ...................................... 14
1. Abstract .............................................. 2 2. Organization of this Document ......................... 2 2.1. How to Read This Document ............................. 2 2.2. Conventions Used in this Document ..................... 2 2.3. Examples .............................................. 3 3. Introduction and Overview ............................. 3 4. Profiling requirements ................................ 4 5. Specific issues ....................................... 5 5.1. Client sends data first ............................... 5 5.2. Server returns success with additional data ........... 5 5.3. Multiple authentications .............................. 5 6. Registration procedures ............................... 6 6.1. Comments on SASL mechanism registrations .............. 6 6.2. Location of Registered SASL Mechanism List ............ 6 6.3. Change Control ........................................ 7 6.4. Registration Template ................................. 7 7. Mechanism definitions ................................. 8 7.1. Kerberos version 4 mechanism .......................... 8 7.2. GSSAPI mechanism ...................................... 9 7.2.1 Client side of authentication protocol exchange ....... 9 7.2.2 Server side of authentication protocol exchange ....... 10 7.2.3 Security layer ........................................ 11 7.3. S/Key mechanism ....................................... 11 7.4. External mechanism .................................... 12 8. References ............................................ 13 9. Security Considerations ............................... 13 10. Author's Address ...................................... 14
Myers Standards Track [Page 1] RFC 2222 SASL October 1997
Myers Standards Track [Page 1] RFC 2222 SASL October 1997
Appendix A. Relation of SASL to Transport Security .......... 15 Full Copyright Statement .................................... 16
Appendix A. Relation of SASL to Transport Security .......... 15 Full Copyright Statement .................................... 16
1. Abstract
1. Abstract
This document describes a method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection. This document describes how a protocol specifies such a command, defines several mechanisms for use by the command, and defines the protocol used for carrying a negotiated security layer over the connection.
This document describes a method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection. This document describes how a protocol specifies such a command, defines several mechanisms for use by the command, and defines the protocol used for carrying a negotiated security layer over the connection.
2. Organization of this Document
2. Organization of this Document
2.1. How to Read This Document
2.1. How to Read This Document
This document is written to serve two different audiences, protocol designers using this specification to support authentication in their protocol, and implementors of clients or servers for those protocols using this specification.
This document is written to serve two different audiences, protocol designers using this specification to support authentication in their protocol, and implementors of clients or servers for those protocols using this specification.
The sections "Introduction and Overview", "Profiling requirements", and "Security Considerations" cover issues that protocol designers need to understand and address in profiling this specification for use in a specific protocol.
The sections "Introduction and Overview", "Profiling requirements", and "Security Considerations" cover issues that protocol designers need to understand and address in profiling this specification for use in a specific protocol.
Implementors of a protocol using this specification need the protocol-specific profiling information in addition to the information in this document.
Implementors of a protocol using this specification need the protocol-specific profiling information in addition to the information in this document.
2.2. Conventions Used in this Document
2.2. Conventions Used in this Document
In examples, "C:" and "S:" indicate lines sent by the client and server respectively.
In examples, "C:" and "S:" indicate lines sent by the client and server respectively.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as defined in "Key words for use in RFCs to Indicate Requirement Levels" [RFC 2119].
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as defined in "Key words for use in RFCs to Indicate Requirement Levels" [RFC 2119].
Myers Standards Track [Page 2] RFC 2222 SASL October 1997
Myers Standards Track [Page 2] RFC 2222 SASL October 1997
2.3. Examples
2.3. Examples
Examples in this document are for the IMAP profile [RFC 2060] of this specification. The base64 encoding of challenges and responses, as well as the "+ " preceding the responses are part of the IMAP4 profile, not part of the SASL specification itself.
Examples in this document are for the IMAP profile [RFC 2060] of this specification. The base64 encoding of challenges and responses, as well as the "+ " preceding the responses are part of the IMAP4 profile, not part of the SASL specification itself.
3. Introduction and Overview
3. Introduction and Overview
The Simple Authentication and Security Layer (SASL) is a method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating a security layer for subsequent protocol interactions.
The Simple Authentication and Security Layer (SASL) is a method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating a security layer for subsequent protocol interactions.
The command has a required argument identifying a SASL mechanism. SASL mechanisms are named by strings, from 1 to 20 characters in length, consisting of upper-case letters, digits, hyphens, and/or underscores. SASL mechanism names must be registered with the IANA. Procedures for registering new SASL mechanisms are given in the section "Registration procedures"
The command has a required argument identifying a SASL mechanism. SASL mechanisms are named by strings, from 1 to 20 characters in length, consisting of upper-case letters, digits, hyphens, and/or underscores. SASL mechanism names must be registered with the IANA. Procedures for registering new SASL mechanisms are given in the section "Registration procedures"
If a server supports the requested mechanism, it initiates an authentication protocol exchange. This consists of a series of server challenges and client responses that are specific to the requested mechanism. The challenges and responses are defined by the mechanisms as binary tokens of arbitrary length. The protocol's profile then specifies how these binary tokens are then encoded for transfer over the connection.
If a server supports the requested mechanism, it initiates an authentication protocol exchange. This consists of a series of server challenges and client responses that are specific to the requested mechanism. The challenges and responses are defined by the mechanisms as binary tokens of arbitrary length. The protocol's profile then specifies how these binary tokens are then encoded for transfer over the connection.
After receiving the authentication command or any client response, a server may issue a challenge, indicate failure, or indicate completion. The protocol's profile specifies how the server indicates which of the above it is doing.
After receiving the authentication command or any client response, a server may issue a challenge, indicate failure, or indicate completion. The protocol's profile specifies how the server indicates which of the above it is doing.
After receiving a challenge, a client may issue a response or abort the exchange. The protocol's profile specifies how the client indicates which of the above it is doing.
After receiving a challenge, a client may issue a response or abort the exchange. The protocol's profile specifies how the client indicates which of the above it is doing.
During the authentication protocol exchange, the mechanism performs authentication, transmits an authorization identity (frequently known as a userid) from the client to server, and negotiates the use of a mechanism-specific security layer. If the use of a security layer is agreed upon, then the mechanism must also define or negotiate the maximum cipher-text buffer size that each side is able to receive.
During the authentication protocol exchange, the mechanism performs authentication, transmits an authorization identity (frequently known as a userid) from the client to server, and negotiates the use of a mechanism-specific security layer. If the use of a security layer is agreed upon, then the mechanism must also define or negotiate the maximum cipher-text buffer size that each side is able to receive.
Myers Standards Track [Page 3] RFC 2222 SASL October 1997
Myers Standards Track [Page 3] RFC 2222 SASL October 1997
The transmitted authorization identity may be different than the identity in the client's authentication credentials. This permits agents such as proxy servers to authenticate using their own credentials, yet request the access privileges of the identity for which they are proxying. With any mechanism, transmitting an authorization identity of the empty string directs the server to derive an authorization identity from the client's authentication credentials.
The transmitted authorization identity may be different than the identity in the client's authentication credentials. This permits agents such as proxy servers to authenticate using their own credentials, yet request the access privileges of the identity for which they are proxying. With any mechanism, transmitting an authorization identity of the empty string directs the server to derive an authorization identity from the client's authentication credentials.
If use of a security layer is negotiated, it is applied to all subsequent data sent over the connection. The security layer takes effect immediately following the last response of the authentication exchange for data sent by the client and the completion indication for data sent by the server. Once the security layer is in effect, the protocol stream is processed by the security layer into buffers of cipher-text. Each buffer is transferred over the connection as a stream of octets prepended with a four octet field in network byte order that represents the length of the following buffer. The length of the cipher-text buffer must be no larger than the maximum size that was defined or negotiated by the other side.
If use of a security layer is negotiated, it is applied to all subsequent data sent over the connection. The security layer takes effect immediately following the last response of the authentication exchange for data sent by the client and the completion indication for data sent by the server. Once the security layer is in effect, the protocol stream is processed by the security layer into buffers of cipher-text. Each buffer is transferred over the connection as a stream of octets prepended with a four octet field in network byte order that represents the length of the following buffer. The length of the cipher-text buffer must be no larger than the maximum size that was defined or negotiated by the other side.
4. Profiling requirements
4. Profiling requirements
In order to use this specification, a protocol definition must supply the following information:
In order to use this specification, a protocol definition must supply the following information:
1. A service name, to be selected from the IANA registry of "service"
elements for the GSSAPI host-based service name form [RFC 2078].
1. A service name, to be selected from the IANA registry of "service" elements for the GSSAPI host-based service name form [RFC 2078].
2. A definition of the command to initiate the authentication
protocol exchange. This command must have as a parameter the
mechanism name being selected by the client.
2. A definition of the command to initiate the authentication protocol exchange. This command must have as a parameter the mechanism name being selected by the client.
The command SHOULD have an optional parameter giving an initial
response. This optional parameter allows the client to avoid a
round trip when using a mechanism which is defined to have the
client send data first. When this initial response is sent by the
client and the selected mechanism is defined to have the server
start with an initial challenge, the command fails. See section
5.1 of this document for further information.
The command SHOULD have an optional parameter giving an initial response. This optional parameter allows the client to avoid a round trip when using a mechanism which is defined to have the client send data first. When this initial response is sent by the client and the selected mechanism is defined to have the server start with an initial challenge, the command fails. See section 5.1 of this document for further information.
3. A definition of the method by which the authentication protocol
exchange is carried out, including how the challenges and
responses are encoded, how the server indicates completion or
failure of the exchange, how the client aborts an exchange, and
how the exchange method interacts with any line length limits in
the protocol.
3. A definition of the method by which the authentication protocol exchange is carried out, including how the challenges and responses are encoded, how the server indicates completion or failure of the exchange, how the client aborts an exchange, and how the exchange method interacts with any line length limits in the protocol.
Myers Standards Track [Page 4] RFC 2222 SASL October 1997
Myers Standards Track [Page 4] RFC 2222 SASL October 1997
4. Identification of the octet where any negotiated security layer
starts to take effect, in both directions.
4. Identification of the octet where any negotiated security layer starts to take effect, in both directions.
5. A specification of how the authorization identity passed from the
client to the server is to be interpreted.
5. A specification of how the authorization identity passed from the client to the server is to be interpreted.
5. Specific issues
5. Specific issues
5.1. Client sends data first
5.1. Client sends data first
Some mechanisms specify that the first data sent in the authentication protocol exchange is from the client to the server.
Some mechanisms specify that the first data sent in the authentication protocol exchange is from the client to the server.
If a protocol's profile permits the command which initiates an authentication protocol exchange to contain an initial client response, this parameter SHOULD be used with such mechanisms.
If a protocol's profile permits the command which initiates an authentication protocol exchange to contain an initial client response, this parameter SHOULD be used with such mechanisms.
If the initial client response parameter is not given, or if a protocol's profile does not permit the command which initiates an authentication protocol exchange to contain an initial client response, then the server issues a challenge with no data. The client's response to this challenge is then used as the initial client response. (The server then proceeds to send the next challenge, indicates completion, or indicates failure.)
If the initial client response parameter is not given, or if a protocol's profile does not permit the command which initiates an authentication protocol exchange to contain an initial client response, then the server issues a challenge with no data. The client's response to this challenge is then used as the initial client response. (The server then proceeds to send the next challenge, indicates completion, or indicates failure.)
5.2. Server returns success with additional data
5.2. Server returns success with additional data
Some mechanisms may specify that server challenge data be sent to the client along with an indication of successful completion of the exchange. This data would, for example, authenticate the server to the client.
Some mechanisms may specify that server challenge data be sent to the client along with an indication of successful completion of the exchange. This data would, for example, authenticate the server to the client.
If a protocol's profile does not permit this server challenge to be returned with a success indication, then the server issues the server challenge without an indication of successful completion. The client then responds with no data. After receiving this empty response, the server then indicates successful completion.
If a protocol's profile does not permit this server challenge to be returned with a success indication, then the server issues the server challenge without an indication of successful completion. The client then responds with no data. After receiving this empty response, the server then indicates successful completion.
5.3. Multiple authentications
5.3. Multiple authentications
Unless otherwise stated by the protocol's profile, only one successful SASL negotiation may occur in a protocol session. In this case, once an authentication protocol exchange has successfully completed, further attempts to initiate an authentication protocol exchange fail.
Unless otherwise stated by the protocol's profile, only one successful SASL negotiation may occur in a protocol session. In this case, once an authentication protocol exchange has successfully completed, further attempts to initiate an authentication protocol exchange fail.
Myers Standards Track [Page 5] RFC 2222 SASL October 1997
Myers Standards Track [Page 5] RFC 2222 SASL October 1997
In the case that a profile explicitly permits multiple successful SASL negotiations to occur, then in no case may multiple security layers be simultaneously in effect. If a security layer is in effect and a subsequent SASL negotiation selects no security layer, the original security layer remains in effect. If a security layer is in effect and a subsequent SASL negotiation selects a second security layer, then the second security layer replaces the first.
In the case that a profile explicitly permits multiple successful SASL negotiations to occur, then in no case may multiple security layers be simultaneously in effect. If a security layer is in effect and a subsequent SASL negotiation selects no security layer, the original security layer remains in effect. If a security layer is in effect and a subsequent SASL negotiation selects a second security layer, then the second security layer replaces the first.
6. Registration procedures
6. Registration procedures
Registration of a SASL mechanism is done by filling in the template in section 6.4 and sending it in to iana@isi.edu. IANA has the right to reject obviously bogus registrations, but will perform no review of clams made in the registration form.
Registration of a SASL mechanism is done by filling in the template in section 6.4 and sending it in to iana@isi.edu. IANA has the right to reject obviously bogus registrations, but will perform no review of clams made in the registration form.
There is no naming convention for SASL mechanisms; any name that conforms to the syntax of a SASL mechanism name can be registered.
There is no naming convention for SASL mechanisms; any name that conforms to the syntax of a SASL mechanism name can be registered.
While the registration procedures do not require it, authors of SASL mechanisms are encouraged to seek community review and comment whenever that is feasible. Authors may seek community review by posting a specification of their proposed mechanism as an internet- draft. SASL mechanisms intended for widespread use should be standardized through the normal IETF process, when appropriate.
While the registration procedures do not require it, authors of SASL mechanisms are encouraged to seek community review and comment whenever that is feasible. Authors may seek community review by posting a specification of their proposed mechanism as an internet- draft. SASL mechanisms intended for widespread use should be standardized through the normal IETF process, when appropriate.
6.1. Comments on SASL mechanism registrations
6.1. Comments on SASL mechanism registrations
Comments on registered SASL mechanisms should first be sent to the "owner" of the mechanism. Submitters of comments may, after a reasonable attempt to contact the owner, request IANA to attach their comment to the SASL mechanism registration itself. If IANA approves of this the comment will be made accessible in conjunction with the SASL mechanism registration itself.
Comments on registered SASL mechanisms should first be sent to the "owner" of the mechanism. Submitters of comments may, after a reasonable attempt to contact the owner, request IANA to attach their comment to the SASL mechanism registration itself. If IANA approves of this the comment will be made accessible in conjunction with the SASL mechanism registration itself.
6.2. Location of Registered SASL Mechanism List
6.2. Location of Registered SASL Mechanism List
SASL mechanism registrations will be posted in the anonymous FTP directory "ftp://ftp.isi.edu/in-notes/iana/assignments/sasl- mechanisms/" and all registered SASL mechanisms will be listed in the periodically issued "Assigned Numbers" RFC [currently STD 2, RFC 1700]. The SASL mechanism description and other supporting material may also be published as an Informational RFC by sending it to "rfc- editor@isi.edu" (please follow the instructions to RFC authors [RFC 2223]).
SASL mechanism registrations will be posted in the anonymous FTP directory "ftp://ftp.isi.edu/in-notes/iana/assignments/sasl- mechanisms/" and all registered SASL mechanisms will be listed in the periodically issued "Assigned Numbers" RFC [currently STD 2, RFC 1700]. The SASL mechanism description and other supporting material may also be published as an Informational RFC by sending it to "rfc- editor@isi.edu" (please follow the instructions to RFC authors [RFC 2223]).
Myers Standards Track [Page 6] RFC 2222 SASL October 1997
Myers Standards Track [Page 6] RFC 2222 SASL October 1997
6.3. Change Control
6.3. Change Control
Once a SASL mechanism registration has been published by IANA, the author may request a change to its definition. The change request follows the same procedure as the registration request.
Once a SASL mechanism registration has been published by IANA, the author may request a change to its definition. The change request follows the same procedure as the registration request.
The owner of a SASL mechanism may pass responsibility for the SASL mechanism to another person or agency by informing IANA; this can be done without discussion or review.
The owner of a SASL mechanism may pass responsibility for the SASL mechanism to another person or agency by informing IANA; this can be done without discussion or review.
The IESG may reassign responsibility for a SASL mechanism. The most common case of this will be to enable changes to be made to mechanisms where the author of the registration has died, moved out of contact or is otherwise unable to make changes that are important to the community.
The IESG may reassign responsibility for a SASL mechanism. The most common case of this will be to enable changes to be made to mechanisms where the author of the registration has died, moved out of contact or is otherwise unable to make changes that are important to the community.
SASL mechanism registrations may not be deleted; mechanisms which are no longer believed appropriate for use can be declared OBSOLETE by a change to their "intended use" field; such SASL mechanisms will be clearly marked in the lists published by IANA.
SASL mechanism registrations may not be deleted; mechanisms which are no longer believed appropriate for use can be declared OBSOLETE by a change to their "intended use" field; such SASL mechanisms will be clearly marked in the lists published by IANA.
The IESG is considered to be the owner of all SASL mechanisms which are on the IETF standards track.
The IESG is considered to be the owner of all SASL mechanisms which are on the IETF standards track.
6.4. Registration Template
6.4. Registration Template
To: iana@iana.org Subject: Registration of SASL mechanism X
To: iana@iana.org Subject: Registration of SASL mechanism X
SASL mechanism name:
SASL mechanism name:
Security considerations:
Security considerations:
Published specification (optional, recommended):
Published specification (optional, recommended):
Person & email address to contact for further information:
Person & email address to contact for further information:
Intended usage:
Intended usage:
(One of COMMON, LIMITED USE or OBSOLETE)
(One of COMMON, LIMITED USE or OBSOLETE)
Author/Change controller:
Author/Change controller:
(Any other information that the author deems interesting may be added below this line.)
(Any other information that the author deems interesting may be added below this line.)
Myers Standards Track [Page 7] RFC 2222 SASL October 1997
Myers Standards Track [Page 7] RFC 2222 SASL October 1997
7. Mechanism definitions
7. Mechanism definitions
The following mechanisms are hereby defined.
The following mechanisms are hereby defined.
7.1. Kerberos version 4 mechanism
7.1. Kerberos version 4 mechanism
The mechanism name associated with Kerberos version 4 is "KERBEROS_V4".
The mechanism name associated with Kerberos version 4 is "KERBEROS_V4".
The first challenge consists of a random 32-bit number in network byte order. The client responds with a Kerberos ticket and an authenticator for the principal "service.hostname@realm", where "service" is the service name specified in the protocol's profile, "hostname" is the first component of the host name of the server with all letters in lower case, and where "realm" is the Kerberos realm of the server. The encrypted checksum field included within the Kerberos authenticator contains the server provided challenge in network byte order.
The first challenge consists of a random 32-bit number in network byte order. The client responds with a Kerberos ticket and an authenticator for the principal "service.hostname@realm", where "service" is the service name specified in the protocol's profile, "hostname" is the first component of the host name of the server with all letters in lower case, and where "realm" is the Kerberos realm of the server. The encrypted checksum field included within the Kerberos authenticator contains the server provided challenge in network byte order.
Upon decrypting and verifying the ticket and authenticator, the server verifies that the contained checksum field equals the original server provided random 32-bit number. Should the verification be successful, the server must add one to the checksum and construct 8 octets of data, with the first four octets containing the incremented checksum in network byte order, the fifth octet containing a bit-mask specifying the security layers supported by the server, and the sixth through eighth octets containing, in network byte order, the maximum cipher-text buffer size the server is able to receive. The server must encrypt using DES ECB mode the 8 octets of data in the session key and issue that encrypted data in a second challenge. The client considers the server authenticated if the first four octets of the un-encrypted data is equal to one plus the checksum it previously sent.
Upon decrypting and verifying the ticket and authenticator, the server verifies that the contained checksum field equals the original server provided random 32-bit number. Should the verification be successful, the server must add one to the checksum and construct 8 octets of data, with the first four octets containing the incremented checksum in network byte order, the fifth octet containing a bit-mask specifying the security layers supported by the server, and the sixth through eighth octets containing, in network byte order, the maximum cipher-text buffer size the server is able to receive. The server must encrypt using DES ECB mode the 8 octets of data in the session key and issue that encrypted data in a second challenge. The client considers the server authenticated if the first four octets of the un-encrypted data is equal to one plus the checksum it previously sent.
The client must construct data with the first four octets containing the original server-issued checksum in network byte order, the fifth octet containing the bit-mask specifying the selected security layer, the sixth through eighth octets containing in network byte order the maximum cipher-text buffer size the client is able to receive, and the following octets containing the authorization identity. The client must then append from one to eight zero-valued octets so that the length of the data is a multiple of eight octets. The client must then encrypt using DES PCBC mode the data with the session key and respond with the encrypted data. The server decrypts the data and verifies the contained checksum. The server must verify that the principal identified in the Kerberos ticket is authorized to connect as that authorization identity. After this verification, the authentication process is complete.
The client must construct data with the first four octets containing the original server-issued checksum in network byte order, the fifth octet containing the bit-mask specifying the selected security layer, the sixth through eighth octets containing in network byte order the maximum cipher-text buffer size the client is able to receive, and the following octets containing the authorization identity. The client must then append from one to eight zero-valued octets so that the length of the data is a multiple of eight octets. The client must then encrypt using DES PCBC mode the data with the session key and respond with the encrypted data. The server decrypts the data and verifies the contained checksum. The server must verify that the principal identified in the Kerberos ticket is authorized to connect as that authorization identity. After this verification, the authentication process is complete.
Myers Standards Track [Page 8] RFC 2222 SASL October 1997
Myers Standards Track [Page 8] RFC 2222 SASL October 1997
The security layers and their corresponding bit-masks are as follows:
The security layers and their corresponding bit-masks are as follows:
1 No security layer
2 Integrity (krb_mk_safe) protection
4 Privacy (krb_mk_priv) protection
1 No security layer 2 Integrity (krb_mk_safe) protection 4 Privacy (krb_mk_priv) protection
Other bit-masks may be defined in the future; bits which are not understood must be negotiated off.
Other bit-masks may be defined in the future; bits which are not understood must be negotiated off.
EXAMPLE: The following are two Kerberos version 4 login scenarios to the IMAP4 protocol (note that the line breaks in the sample authenticators are for editorial clarity and are not in real authenticators)
EXAMPLE: The following are two Kerberos version 4 login scenarios to the IMAP4 protocol (note that the line breaks in the sample authenticators are for editorial clarity and are not in real authenticators)
S: * OK IMAP4 Server
C: A001 AUTHENTICATE KERBEROS_V4
S: + AmFYig==
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
S: + or//EoAADZI=
C: DiAF5A4gA+oOIALuBkAAmw==
S: A001 OK Kerberos V4 authentication successful
S: * OK IMAP4 Server C: A001 AUTHENTICATE KERBEROS_V4 S: + AmFYig== C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh S: + or//EoAADZI= C: DiAF5A4gA+oOIALuBkAAmw== S: A001 OK Kerberos V4 authentication successful
S: * OK IMAP4 Server
C: A001 AUTHENTICATE KERBEROS_V4
S: + gcfgCA==
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
S: A001 NO Kerberos V4 authentication failed
S: * OK IMAP4 Server C: A001 AUTHENTICATE KERBEROS_V4 S: + gcfgCA== C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh S: A001 NO Kerberos V4 authentication failed
7.2. GSSAPI mechanism
7.2. GSSAPI mechanism
The mechanism name associated with all mechanisms employing the GSSAPI [RFC 2078] is "GSSAPI".
The mechanism name associated with all mechanisms employing the GSSAPI [RFC 2078] is "GSSAPI".
7.2.1 Client side of authentication protocol exchange
7.2.1 Client side of authentication protocol exchange
The client calls GSS_Init_sec_context, passing in 0 for input_context_handle (initially) and a targ_name equal to output_name from GSS_Import_Name called with input_name_type of GSS_C_NT_HOSTBASED_SERVICE and input_name_string of "service@hostname" where "service" is the service name specified in the protocol's profile, and "hostname" is the fully qualified host name of the server. The client then responds with the resulting output_token. If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED,
The client calls GSS_Init_sec_context, passing in 0 for input_context_handle (initially) and a targ_name equal to output_name from GSS_Import_Name called with input_name_type of GSS_C_NT_HOSTBASED_SERVICE and input_name_string of "service@hostname" where "service" is the service name specified in the protocol's profile, and "hostname" is the fully qualified host name of the server. The client then responds with the resulting output_token. If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED,
Myers Standards Track [Page 9] RFC 2222 SASL October 1997
Myers Standards Track [Page 9] RFC 2222 SASL October 1997
then the client should expect the server to issue a token in a subsequent challenge. The client must pass the token to another call to GSS_Init_sec_context, repeating the actions in this paragraph.
then the client should expect the server to issue a token in a subsequent challenge. The client must pass the token to another call to GSS_Init_sec_context, repeating the actions in this paragraph.
When GSS_Init_sec_context returns GSS_S_COMPLETE, the client takes the following actions: If the last call to GSS_Init_sec_context returned an output_token, then the client responds with the output_token, otherwise the client responds with no data. The client should then expect the server to issue a token in a subsequent challenge. The client passes this token to GSS_Unwrap and interprets the first octet of resulting cleartext as a bit-mask specifying the security layers supported by the server and the second through fourth octets as the maximum size output_message to send to the server. The client then constructs data, with the first octet containing the bit-mask specifying the selected security layer, the second through fourth octets containing in network byte order the maximum size output_message the client is able to receive, and the remaining octets containing the authorization identity. The client passes the data to GSS_Wrap with conf_flag set to FALSE, and responds with the generated output_message. The client can then consider the server authenticated.
When GSS_Init_sec_context returns GSS_S_COMPLETE, the client takes the following actions: If the last call to GSS_Init_sec_context returned an output_token, then the client responds with the output_token, otherwise the client responds with no data. The client should then expect the server to issue a token in a subsequent challenge. The client passes this token to GSS_Unwrap and interprets the first octet of resulting cleartext as a bit-mask specifying the security layers supported by the server and the second through fourth octets as the maximum size output_message to send to the server. The client then constructs data, with the first octet containing the bit-mask specifying the selected security layer, the second through fourth octets containing in network byte order the maximum size output_message the client is able to receive, and the remaining octets containing the authorization identity. The client passes the data to GSS_Wrap with conf_flag set to FALSE, and responds with the generated output_message. The client can then consider the server authenticated.
7.2.2 Server side of authentication protocol exchange
7.2.2 Server side of authentication protocol exchange
The server passes the initial client response to GSS_Accept_sec_context as input_token, setting input_context_handle to 0 (initially). If GSS_Accept_sec_context returns GSS_S_CONTINUE_NEEDED, the server returns the generated output_token to the client in challenge and passes the resulting response to another call to GSS_Accept_sec_context, repeating the actions in this paragraph.
The server passes the initial client response to GSS_Accept_sec_context as input_token, setting input_context_handle to 0 (initially). If GSS_Accept_sec_context returns GSS_S_CONTINUE_NEEDED, the server returns the generated output_token to the client in challenge and passes the resulting response to another call to GSS_Accept_sec_context, repeating the actions in this paragraph.
When GSS_Accept_sec_context returns GSS_S_COMPLETE, the client takes the following actions: If the last call to GSS_Accept_sec_context returned an output_token, the server returns it to the client in a challenge and expects a reply from the client with no data. Whether or not an output_token was returned (and after receipt of any response from the client to such an output_token), the server then constructs 4 octets of data, with the first octet containing a bit- mask specifying the security layers supported by the server and the second through fourth octets containing in network byte order the maximum size output_token the server is able to receive. The server must then pass the plaintext to GSS_Wrap with conf_flag set to FALSE and issue the generated output_message to the client in a challenge. The server must then pass the resulting response to GSS_Unwrap and interpret the first octet of resulting cleartext as the bit-mask for the selected security layer, the second through fourth octets as the maximum size output_message to send to the client, and the remaining
When GSS_Accept_sec_context returns GSS_S_COMPLETE, the client takes the following actions: If the last call to GSS_Accept_sec_context returned an output_token, the server returns it to the client in a challenge and expects a reply from the client with no data. Whether or not an output_token was returned (and after receipt of any response from the client to such an output_token), the server then constructs 4 octets of data, with the first octet containing a bit- mask specifying the security layers supported by the server and the second through fourth octets containing in network byte order the maximum size output_token the server is able to receive. The server must then pass the plaintext to GSS_Wrap with conf_flag set to FALSE and issue the generated output_message to the client in a challenge. The server must then pass the resulting response to GSS_Unwrap and interpret the first octet of resulting cleartext as the bit-mask for the selected security layer, the second through fourth octets as the maximum size output_message to send to the client, and the remaining
Myers Standards Track [Page 10] RFC 2222 SASL October 1997
Myers Standards Track [Page 10] RFC 2222 SASL October 1997
octets as the authorization identity. The server must verify that the src_name is authorized to authenticate as the authorization identity. After these verifications, the authentication process is complete.
octets as the authorization identity. The server must verify that the src_name is authorized to authenticate as the authorization identity. After these verifications, the authentication process is complete.
7.2.3 Security layer
7.2.3 Security layer
The security layers and their corresponding bit-masks are as follows:
The security layers and their corresponding bit-masks are as follows:
1 No security layer
2 Integrity protection.
Sender calls GSS_Wrap with conf_flag set to FALSE
4 Privacy protection.
Sender calls GSS_Wrap with conf_flag set to TRUE
1 どんなセキュリティも2Integrity保護を層にしません。 送付者は、conf_旗のセットでFALSE4Privacy保護にGSS_をWrapと呼びます。 送付者は、conf_旗のセットでGSS_をTRUEにWrapと呼びます。
Other bit-masks may be defined in the future; bits which are not understood must be negotiated off.
他のビットマスクは将来、定義されるかもしれません。 理解されていないビットでは、交渉しなければなりません。
7.3. S/Key mechanism
7.3. S/主要なメカニズム
The mechanism name associated with S/Key [RFC 1760] using the MD4 digest algorithm is "SKEY".
MD4ダイジェストアルゴリズムを使用するS/キー[RFC1760]に関連しているメカニズム名は"SKEY"です。
The client sends an initial response with the authorization identity.
クライアントは承認のアイデンティティがある初期の応答を送ります。
The server then issues a challenge which contains the decimal sequence number followed by a single space and the seed string for the indicated authorization identity. The client responds with the one-time-password, as either a 64-bit value in network byte order or encoded in the "six English words" format.
そして、サーバは示された承認のアイデンティティのためにシングルスペースと種子ストリングが支えた10進一連番号を含む挑戦を発行します。 クライアントはネットワークバイトオーダーにおける64ビットの値としての1回のパスワードか「6つの英単語」の形式におけるコード化にされるので応じます。
The server must verify the one-time-password. After this verification, the authentication process is complete.
サーバは使い捨てパスワードについて確かめなければなりません。 この検証の後に、認証過程は完全です。
S/Key authentication does not provide for any security layers.
S/主要な認証はどんなセキュリティ層にも備えません。
EXAMPLE: The following are two S/Key login scenarios in the IMAP4 protocol.
例: ↓これはIMAP4プロトコルの2/主要なログインシナリオです。
S: * OK IMAP4 Server
C: A001 AUTHENTICATE SKEY
S: +
C: bW9yZ2Fu
S: + OTUgUWE1ODMwOA==
C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
S: A001 OK S/Key authentication successful
S: * IMAP4サーバCを承認してください: A001はSKEY Sを認証します: + C: bW9yZ2Fu S: + OTUgUWE1ODMwOA=C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA== S: A001 OK S/主要な認証うまくいきます。
Myers Standards Track [Page 11] RFC 2222 SASL October 1997
マイアーズ規格はSASL1997年10月にRFC2222を追跡します[11ページ]。
S: * OK IMAP4 Server
C: A001 AUTHENTICATE SKEY
S: +
C: c21pdGg=
S: + OTUgUWE1ODMwOA==
C: BsAY3g4gBNo=
S: A001 NO S/Key authentication failed
S: * IMAP4サーバCを承認してください: A001はSKEY Sを認証します: + C: c21pdGgはSと等しいです: + OTUgUWE1ODMwOA=C: BsAY3g4gBNo= S: A001 NO S/主要な認証は失敗しました。
The following is an S/Key login scenario in an IMAP4-like protocol which has an optional "initial response" argument to the AUTHENTICATE command.
↓これは任意の「初期の応答」議論をAUTHENTICATEコマンドに持っているIMAP4のようなプロトコルのS/主要なログインシナリオです。
S: * OK IMAP4-Like Server
C: A001 AUTHENTICATE SKEY bW9yZ2Fu
S: + OTUgUWE1ODMwOA==
C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
S: A001 OK S/Key authentication successful
S: * IMAP4のようなサーバCを承認してください: A001はSKEY bW9yZ2Fu Sを認証します: + OTUgUWE1ODMwOA=C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA== S: A001 OK S/主要な認証うまくいきます。
7.4. External mechanism
7.4. 外部のメカニズム
The mechanism name associated with external authentication is "EXTERNAL".
外部認証に関連しているメカニズム名は「外部です」。
The client sends an initial response with the authorization identity.
クライアントは承認のアイデンティティがある初期の応答を送ります。
The server uses information, external to SASL, to determine whether the client is authorized to authenticate as the authorization identity. If the client is so authorized, the server indicates successful completion of the authentication exchange; otherwise the server indicates failure.
サーバは、クライアントが承認のアイデンティティとして認証するために認可されているかどうか決定するのにSASLへの外部の情報を使用します。 クライアントがそのように権限を与えられるなら、サーバは認証交換の無事終了を示します。 さもなければ、サーバは失敗を示します。
The system providing this external information may be, for example, IPsec or TLS.
例えば、この外部の情報を提供するシステムは、IPsecかTLSであるかもしれません。
If the client sends the empty string as the authorization identity (thus requesting the authorization identity be derived from the client's authentication credentials), the authorization identity is to be derived from authentication credentials which exist in the system which is providing the external authentication.
クライアントが承認のアイデンティティとして空のストリングを送るなら(その結果、承認のアイデンティティがクライアントの認証資格証明書から得られるよう要求します)、承認のアイデンティティは外部認証を提供しているシステムに存在する認証資格証明書から派生することです。
Myers Standards Track [Page 12] RFC 2222 SASL October 1997
マイアーズ規格はSASL1997年10月にRFC2222を追跡します[12ページ]。
8. References
8. 参照
[RFC 2060] Crispin, M., "Internet Message Access Protocol - Version
4rev1", RFC 2060, December 1996.
[RFC2060] クリスピン、M.、「バージョン4rev1"、RFC2060、1996年インターネットメッセージアクセス・プロトコル--12月。」
[RFC 2078] Linn, J., "Generic Security Service Application Program
Interface, Version 2", RFC 2078, January 1997.
[RFC2078] リン、J.、「ジェネリックセキュリティー・サービス適用業務プログラム・インタフェース、バージョン2インチ、RFC2078、1997年1月。」
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC2119] ブラドナー、S.、「Indicate Requirement LevelsへのRFCsにおける使用のためのキーワード」、RFC2119、1997年3月。
[RFC 2223] Postel, J., and J. Reynolds, "Instructions to RFC
Authors", RFC 2223, October 1997.
[RFC2223] ポステル、J.、およびJ.レイノルズ、「指示、RFCが書く、」、RFC2223、10月1997日
[RFC 1760] Haller, N., "The S/Key One-Time Password System", RFC
1760, February 1995.
[RFC1760] ハラー、1995年2月のN.、「S/主要なワンタイムパスワードシステム」RFC1760。
[RFC 1700] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2,
RFC 1700, October 1994.
[RFC1700] レイノルズ、J.とJ.ポステル、「規定番号」、STD2、RFC1700、1994年10月。
9. Security Considerations
9. セキュリティ問題
Security issues are discussed throughout this memo.
このメモ中で安全保障問題について議論します。
The mechanisms that support integrity protection are designed such that the negotiation of the security layer and authorization identity is integrity protected. When the client selects a security layer with at least integrity protection, this protects against an active attacker hijacking the connection and modifying the authentication exchange to negotiate a plaintext connection.
保全が保護であるとサポートするメカニズムは、セキュリティ層と承認のアイデンティティの交渉が保護された保全であるように設計されています。 クライアントが少なくとも保全保護があるセキュリティ層を選択するとき、これは平文接続を交渉するように接続をハイジャックして、認証交換を変更する活発な攻撃者から守ります。
When a server or client supports multiple authentication mechanisms, each of which has a different security strength, it is possible for an active attacker to cause a party to use the least secure mechanism supported. To protect against this sort of attack, a client or server which supports mechanisms of different strengths should have a configurable minimum strength that it will use. It is not sufficient for this minimum strength check to only be on the server, since an active attacker can change which mechanisms the client sees as being supported, causing the client to send authentication credentials for its weakest supported mechanism.
サーバかクライアントが、複数の認証がメカニズム(それのそれぞれには、異なったセキュリティ力がある)であるとサポートするとき、活発な攻撃者が最も安全でないメカニズムがサポートした使用にパーティーを引き起こすのは、可能です。 この種類の攻撃、クライアントまたはサーバから守るために、どれが異なった強さのメカニズムをサポートするかに、それが使用する構成可能な最低限の強さがあるべきです。 この最低限の強さチェックがサーバにあるだけが、十分ではありません、活発な攻撃者が、クライアントが、どのメカニズムがサポートされるのを見るかを変えることができるので、クライアントが最も弱いサポートしているメカニズムのために認証資格証明書を送ることを引き起こして。
Myers Standards Track [Page 13] RFC 2222 SASL October 1997
マイアーズ規格はSASL1997年10月にRFC2222を追跡します[13ページ]。
The client's selection of a SASL mechanism is done in the clear and may be modified by an active attacker. It is important for any new SASL mechanisms to be designed such that an active attacker cannot obtain an authentication with weaker security properties by modifying the SASL mechanism name and/or the challenges and responses.
クライアントのSASLメカニズムの選択を明確でして、活発な攻撃者は変更するかもしれません。 どんな新しいSASLメカニズムも設計されているのは、活発な攻撃者がSASLメカニズム名、そして/または、挑戦と応答を変更することによって、より弱いセキュリティの特性による認証を得ることができないくらい重要です。
Any protocol interactions prior to authentication are performed in the clear and may be modified by an active attacker. In the case where a client selects integrity protection, it is important that any security-sensitive protocol negotiations be performed after authentication is complete. Protocols should be designed such that negotiations performed prior to authentication should be either ignored or revalidated once authentication is complete.
認証の前のどんなプロトコル相互作用も、明確で実行されて、活発な攻撃者によって変更されるかもしれません。 クライアントが保全保護を選択する場合では、認証が完全になった後にどんなセキュリティ敏感な議定書交渉も実行されるのは、重要です。 プロトコルは、認証の前に実行された交渉が無視されるべきであるか、または認証がいったん完全であったあとに再有効にされるべきであるように、設計されるべきです。
10. Author's Address
10. 作者のアドレス
John G. Myers Netscape Communications 501 E. Middlefield Road Mail Stop MV-029 Mountain View, CA 94043-4042
マウンテンビュー、ジョンG.マイアーズネットスケープ・コミュニケーションズ501E.Middlefield道路メール停止MV-029カリフォルニア94043-4042
EMail: jgmyers@netscape.com
メール: jgmyers@netscape.com
Myers Standards Track [Page 14] RFC 2222 SASL October 1997
マイアーズ規格はSASL1997年10月にRFC2222を追跡します[14ページ]。
Appendix A. Relation of SASL to Transport Security
セキュリティを輸送するSASLの付録A.関係
Questions have been raised about the relationship between SASL and various services (such as IPsec and TLS) which provide a secured connection.
どれが機密保護している接続を提供するかという疑問はSASLと様々なサービス(IPsecやTLSなどの)との関係に関して引き起こされました。
Two of the key features of SASL are:
SASLに関する2つの重要な特色は以下の通りです。
1. The separation of the authorization identity from the identity in
the client's credentials. This permits agents such as proxy
servers to authenticate using their own credentials, yet request
the access privileges of the identity for which they are proxying.
1. クライアントの資格証明書におけるアイデンティティからの承認のアイデンティティの分離。 これはそれら自身の資格証明書を使用することで認証するプロキシサーバなどのエージェントを可能にして、しかし、要求はそれらがproxyingしているアイデンティティのアクセス権です。
2. Upon successful completion of an authentication exchange, the
server knows the authorization identity the client wishes to use.
This allows servers to move to a "user is authenticated" state in
the protocol.
2. 認証交換の無事終了のときに、サーバはクライアントが使用したがっている承認のアイデンティティを知っています。 これで、サーバはプロトコルで「ユーザは認証される」という状態に移行します。
These features are extremely important to some application protocols, yet Transport Security services do not always provide them. To define SASL mechanisms based on these services would be a very messy task, as the framing of these services would be redundant with the framing of SASL and some method of providing these important SASL features would have to be devised.
これらの特徴がいくつかのアプリケーション・プロトコルに非常に重要である、しかし、Transport Securityサービスはいつもそれらを提供するというわけではありません。 これらのサービスに基づくSASLメカニズムを定義するのは、非常に乱雑なタスクでしょう、これらのサービスの縁どりがSASLの縁どりと重要なSASLの特徴が持っているこれらを提供する何らかの工夫されるべきメソッドで余分であるだろうというときに。
Sometimes it is desired to enable within an existing connection the use of a security service which does not fit the SASL model. (TLS is an example of such a service.) This can be done by adding a command, for example "STARTTLS", to the protocol. Such a command is outside the scope of SASL, and should be different from the command which starts a SASL authentication protocol exchange.
時々、既存の接続の中でSASLモデルに合わないセキュリティー・サービスの使用を可能にするのは必要です。 (TLSはそのようなサービスに関する例です。) コマンド、例えば、「STARTTLS」をプロトコルに追加することによって、これができます。 そのようなコマンドは、SASLの範囲の外にあって、SASL認証プロトコル交換を始めるコマンドと異なっているべきです。
In certain situations, it is reasonable to use SASL underneath one of these Transport Security services. The transport service would secure the connection, either service would authenticate the client, and SASL would negotiate the authorization identity. The SASL negotiation would be what moves the protocol from "unauthenticated" to "authenticated" state. The "EXTERNAL" SASL mechanism is explicitly intended to handle the case where the transport service secures the connection and authenticates the client and SASL negotiates the authorization identity.
ある状況で、これらのTransport Securityサービスの1つの下にSASLを使用するのは妥当です。 輸送サービスは接続を保証するでしょう、そして、サービスはクライアントを認証するでしょう、そして、SASLは承認のアイデンティティを交渉するでしょう。 SASL交渉は"非認証"の状態から「認証された」状態までプロトコルを動かすことでしょう。 明らかに、「外部」のSASLメカニズムが輸送サービスが接続を保証して、クライアントを認証して、SASLが承認のアイデンティティを交渉するケースを扱うことを意図します。
When using SASL underneath a sufficiently strong Transport Security service, a SASL security layer would most likely be redundant. The client and server would thus probably want to negotiate off the use of a SASL security layer.
十分強いTransport Securityサービスの下にSASLを使用するとき、SASLセキュリティ層はたぶん余分でしょう。 その結果、クライアントとサーバはたぶんSASLセキュリティ層の使用で交渉したがっているでしょう。
Myers Standards Track [Page 15] RFC 2222 SASL October 1997
マイアーズ規格はSASL1997年10月にRFC2222を追跡します[15ページ]。
Full Copyright Statement
完全な著作権宣言文
Copyright (C) The Internet Society (1997). All Rights Reserved.
Copyright(C)インターネット協会(1997)。 All rights reserved。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published andand distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
それに関するこのドキュメントと翻訳をコピーして、他のものに提供するかもしれません、そして、そうでなければ、implmentationを批評するか、それについて説明するか、または補助する派生している作品は全体か一部分配された、準備されて、コピーされて、発行されたandandであるかもしれません、どんな種類の制限なしでも、上の版権情報とこのパラグラフがそのようなすべてのコピーと派生している作品の上に含まれていれば。 しかしながら、このドキュメント自体は何らかの方法で変更されないかもしれません、インターネット協会か他のインターネット組織の版権情報か参照を取り除くのなどように、それを英語以外の言語に翻訳するのが著作権のための手順がインターネットStandardsプロセスで定義したどのケースに従わなければならないか、必要に応じてさもなければ、インターネット標準を開発する目的に必要であるのを除いて。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上に承諾された限られた許容は、永久であり、インターネット協会、後継者または案配によって取り消されないでしょう。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
このドキュメントとそして、「そのままで」という基礎とインターネットの振興発展を目的とする組織に、インターネット・エンジニアリング・タスク・フォースが速達の、または、暗示しているすべての保証を放棄するかどうかというここにことであり、他を含んでいて、含まれて、情報の使用がここに侵害しないどんな保証も少しもまっすぐになるという情報か市場性か特定目的への適合性のどんな黙示的な保証。
Myers Standards Track [Page 16]
マイアーズ標準化過程[16ページ]
一覧
スポンサーリンク
