Network Working Group R. Housley
Request for Comments: 3770 Vigil Security
Category: Standards Track T. Moore
Microsoft
May 2004
Network Working Group R. Housley
Request for Comments: 3770 Vigil Security
Category: Standards Track T. Moore
Microsoft
May 2004
Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN)
支持点对点协议(PPP)和无线局域网(WLAN)中身份验证的证书扩展和属性
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document defines two EAP extended key usage values and a public key certificate extension to carry Wireless LAN (WLAN) System Service identifiers (SSIDs).
本文档定义了两个EAP扩展密钥使用值和一个公钥证书扩展,以携带无线LAN(WLAN)系统服务标识符(SSID)。
Several Extensible Authentication Protocol (EAP) [EAP] authentication methods employ X.509 public key certificates. For example, EAP-TLS [EAP-TLS] can be used with PPP [PPP] as well as IEEE 802.1X [802.1X]. PPP is used for dial-up and VPN environments. IEEE 802.1X defines port-based, network access control, and it is used to provide authenticated network access for Ethernet, Token Ring, and Wireless LANs (WLANs) [802.11].
几种可扩展身份验证协议(EAP)[EAP]身份验证方法使用X.509公钥证书。例如,EAP-TLS[EAP-TLS]可以与PPP[PPP]以及IEEE 802.1X[802.1X]一起使用。PPP用于拨号和VPN环境。IEEE 802.1X定义了基于端口的网络访问控制,用于为以太网、令牌环和无线局域网(WLAN)提供经过身份验证的网络访问[802.11]。
Automated selection of certificates for PPP and IEEE 802.1X clients is highly desirable. By using certificate extensions to identify the intended environment for a particular certificate, the need for user input is minimized. Further, the certificate extensions facilitate the separation of administrative functions associated with certificates used for different environments.
为PPP和IEEE 802.1X客户端自动选择证书是非常可取的。通过使用证书扩展来识别特定证书的预期环境,用户输入的需求被最小化。此外,证书扩展有助于分离与用于不同环境的证书相关联的管理功能。
IEEE 802.1X can be used for authentication with multiple networks. For example, the same wireless station might use IEEE 802.1X to authenticate to a corporate IEEE 802.11 WLAN and a public IEEE 802.11 "hotspot." Each of these IEEE 802.11 WLANs has a different network name, called Service Set Identifier (SSID). If the network operators have a roaming agreement, then cross realm authentication allows the same certificate to be used on both networks. However, if the networks do not have a roaming agreement, then the IEEE 802.1X client needs to select a certificate for the current network environment. Including a list of SSIDs in a certificate extension facilitates automated selection of an appropriate X.509 public key certificate without human user input. Alternatively, a companion attribute certificate could contain the list of SSIDs.
IEEE 802.1X可用于多个网络的身份验证。例如,同一无线站可能使用IEEE 802.1X对公司IEEE 802.11 WLAN和公共IEEE 802.11“热点”进行身份验证。这些IEEE 802.11 WLAN中的每一个都有一个不同的网络名称,称为服务集标识符(SSID)。如果网络运营商有漫游协议,则跨域身份验证允许在两个网络上使用相同的证书。但是,如果网络没有漫游协议,则IEEE 802.1X客户端需要为当前网络环境选择一个证书。在证书扩展中包含SSID列表有助于自动选择适当的X.509公钥证书,而无需人工用户输入。或者,伴随属性证书可以包含SSID列表。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [STDWORDS].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[STDWORDS]中的描述进行解释。
All X.509 certificate [X.509] extensions are defined using ASN.1 [X.208, X.209].
所有X.509证书[X.509]扩展都是使用ASN.1[X.208,X.209]定义的。
RFC 3280 [PROFILE] specifies the extended key usage X.509 certificate extension. The extension indicates one or more purposes for which the certified public key may be used. The extended key usage extension can be used in conjunction with key usage extension, which indicates the intended purpose of the certified public key. For example, the key usage extension might indicate that the certified public key ought to be used only for validating digital signatures.
RFC 3280[PROFILE]指定扩展密钥使用X.509证书扩展。扩展名表示认证公钥可用于的一个或多个目的。扩展密钥使用扩展可以与密钥使用扩展一起使用,它指示认证公钥的预期用途。例如,密钥使用扩展可能指示认证公钥应该仅用于验证数字签名。
The extended key usage extension definition is repeated here for convenience:
为方便起见,此处重复了扩展密钥使用扩展定义:
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
KeyPurposeId ::= OBJECT IDENTIFIER
KeyPurposeId ::= OBJECT IDENTIFIER
This specification defines two KeyPurposeId values: one for EAP over PPP, and one for EAP over LAN (EAPOL). Inclusion of the EAP over PPP value indicates that the certified public key is appropriate for use
本规范定义了两个KeyPurposeId值:一个用于PPP上的EAP,另一个用于LAN上的EAP(EAPOL)。包含EAP over PPP值表示认证公钥适合使用
with EAP in the PPP environment, and the inclusion of the EAPOL value indicates that the certified public key is appropriate for use with the EAP in the LAN environment. Inclusion of both values indicates that the certified public key is appropriate for use in either of the environments.
在PPP环境中使用EAP,并且包含EAPOL值表示认证公钥适合在LAN环境中与EAP一起使用。包含这两个值表示认证公钥适合在这两种环境中使用。
id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 }
id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 }
id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 }
id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 }
id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 }
id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 }
The extended key usage extension may, at the option of the certificate issuer, be either critical or non-critical. If the extension is marked as critical, then the certified public key MUST be used only for the purposes indicated. However, if the extension is marked as non-critical, then extended key usage extension MAY be used to support the location of an appropriate certified public key.
根据证书颁发者的选择,扩展密钥使用扩展可以是关键的,也可以是非关键的。如果扩展被标记为关键,则认证公钥必须仅用于指定的目的。但是,如果扩展被标记为非关键,那么扩展密钥使用扩展可用于支持适当的认证公钥的位置。
If a certificate contains both a critical key usage extension and a critical extended key usage extension, then both extensions MUST be processed independently, and the certificate MUST only be used for a purpose consistent with both extensions. If there is no purpose consistent with both critical extensions, then the certificate MUST NOT be used for any purpose.
如果证书同时包含关键密钥使用扩展和关键扩展密钥使用扩展,则必须独立处理这两个扩展,并且证书只能用于与这两个扩展一致的目的。如果没有与两个关键扩展一致的目的,则证书不得用于任何目的。
The Wireless LAN (WLAN) System Service identifiers (SSIDs) public key certificate extension is always non-critical. It contains a list of SSIDs. When more than one certificate includes an extended key usage extension indicating that the certified public key is appropriate for use with the EAP in the LAN environment, then the list of SSIDs MAY be used to select the correct certificate for authentication in a particular WLAN.
无线局域网(WLAN)系统服务标识符(SSID)公钥证书扩展始终是非关键的。它包含一个SSID列表。当多个证书包括扩展密钥使用扩展,指示经认证的公钥适合在LAN环境中与EAP一起使用时,则ssid的列表可用于选择用于特定WLAN中的认证的正确证书。
Since SSID values are unmanaged, the same SSID can appear in different certificates that are intended to be used with different WLANs. When this occurs, automatic selection of the certificate will fail, and the implementation SHOULD obtain help from the user to choose the correct certificate. In cases where a human user is unavailable, each potential certificate MAY be tried until one succeeds. However, by maintaining a cache of Access Point (AP) MAC addresses or authentication server identity with which the certificate has successfully authenticated, user involvement can be minimized. RADIUS [RADIUS1, RADIUS2] is usually used as the
由于SSID值是非托管的,因此相同的SSID可以出现在用于不同WLAN的不同证书中。当发生这种情况时,证书的自动选择将失败,并且实现应获得用户的帮助以选择正确的证书。在人工用户不可用的情况下,可以尝试每个可能的证书,直到其中一个成功。然而,通过维护证书已成功认证的接入点(AP)MAC地址或认证服务器标识的缓存,用户参与可以最小化。半径[RADIUS1,RADIUS2]通常用作
authentication service in WLAN deployments. The cache can be used to avoid future human user interaction or certificate selection by trial-and-error.
WLAN部署中的身份验证服务。缓存可用于避免未来的人机交互或通过试错选择证书。
The WLAN SSID extension is identified by id-pe-wlanSSID.
WLAN SSID扩展由id pe wlanSSID标识。
id-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 }
id-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 }
id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 }
id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 }
The syntax for the WLAN SSID extension is:
WLAN SSID扩展的语法为:
SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID
SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID
SSID ::= OCTET STRING (SIZE (1..32))
SSID ::= OCTET STRING (SIZE (1..32))
When the public key certificate does not include the WLAN SSID certificate extension, then an attribute certificate [ACPROFILE] can be used to associate a list of SSIDs with the public key certificate. The WLAN SSIDs attribute certificate attribute contains a list of SSIDs, and the list of SSIDs MAY be used to select the correct certificate for authentication in a particular WLAN environment.
当公钥证书不包括WLAN SSID证书扩展时,可以使用属性证书[ACPROFILE]将SSID列表与公钥证书关联。WLAN SSID属性证书属性包含SSID列表,SSID列表可用于在特定WLAN环境中选择正确的认证证书。
The WLAN SSID attribute certificate attribute is identified by id-aca-wlanSSID.
WLAN SSID属性证书属性由id aca wlanSSID标识。
id-aca OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 10 }
id-aca OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 10 }
id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 6 }
id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 6 }
The syntax for the WLAN SSID attribute certificate attribute is exactly the same as the WLAN SSID extension:
WLAN SSID属性证书属性的语法与WLAN SSID扩展完全相同:
SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID
SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID
SSID ::= OCTET STRING (SIZE (1..32))
SSID ::= OCTET STRING (SIZE (1..32))
The procedures and practices employed by the certification authority (CA) MUST ensure that the correct values for the extended key usage extension and SSID extension are inserted in each certificate that is issued. Relying parties may accept or reject a particular certificate for an intended use based on the information provided in
证书颁发机构(CA)采用的程序和实践必须确保在颁发的每个证书中插入扩展密钥使用扩展和SSID扩展的正确值。依赖方可根据本协议中提供的信息,接受或拒绝用于预期用途的特定证书
these extensions. Incorrect representation of the information in either extension could cause the relying party to reject an otherwise appropriate certificate or accept a certificate that ought to be rejected.
这些扩展。任何扩展中信息的不正确表示都可能导致依赖方拒绝本应拒绝的证书或接受本应拒绝的证书。
If multiple SSIDs are included in a certificate, then information can be obtained from a certificate about the SSIDs associated with several WLANs, not the WLAN that is currently being accessed. The intended use of the SSID extensions is to help a client determine the correct certificate to present when trying to gain access to a WLAN. In most situations, including EAP-TLS, the client will have the opportunity to validate the certificate provided by the server before transmitting one of its own certificates to the server. While the client may not be sure that the server has access to the corresponding private key until later in the protocol exchange, the identity information in the server certificate can be used to determine whether or not the client certificate ought to be provided. When the same client certificate is used to authenticate to multiple WLANs, the list of SSIDs is available from servers associated with each WLAN. Of course, the list of SSIDs is also made available to any eavesdroppers on the WLAN. Whenever this SSID disclosure is a concern, different client certificates ought to be used for the each WLAN.
如果证书中包含多个SSID,则可以从证书中获取与多个WLAN相关联的SSID的信息,而不是当前正在访问的WLAN的信息。SSID扩展的预期用途是帮助客户端在尝试访问WLAN时确定要显示的正确证书。在大多数情况下,包括EAP-TLS,客户机将有机会在向服务器传输自己的证书之前验证服务器提供的证书。虽然客户端可能直到稍后在协议交换中才确定服务器有权访问相应的私钥,但服务器证书中的身份信息可用于确定是否应提供客户端证书。当使用同一客户端证书对多个WLAN进行身份验证时,SSID列表可从与每个WLAN关联的服务器获得。当然,无线局域网上的任何窃听者也可以使用SSID列表。每当涉及到SSID泄漏时,每个WLAN都应该使用不同的客户端证书。
SSID values are unmanaged; therefore SSIDs may not be unique. Hence, it is possible for client certificates that are intended to be used with different WLANs to contain the same SSID. In this case, automatic selection of the certificate will fail, and the implementation SHOULD obtain help from the user to choose the correct certificate. In cases where a human user is unavailable, each potential certificate MAY be tried until one succeeds, disclosing the list of SSIDs associated with each certificate, which might otherwise not be disclosed. Therefore, it is RECOMMENDED that sequentially trying each certificate only be employed when user selection is unavailable or impractical.
SSID值是非托管的;因此,SSID可能不是唯一的。因此,用于不同WLAN的客户端证书可能包含相同的SSID。在这种情况下,证书的自动选择将失败,实现应获得用户的帮助以选择正确的证书。在人类用户不可用的情况下,可能会尝试每个潜在的证书,直到其中一个证书成功,并披露与每个证书相关联的SSID列表,否则可能不会披露该列表。因此,建议仅当用户选择不可用或不切实际时才使用顺序尝试每个证书。
In practice, disclosure of the SSID is of little concern. Some WLAN security experts recommend that the SSID be masked in the beacon sent out by Access Points (APs). The intent is to make it harder for an attacker to find the correct AP to target. However, other WLAN management messages include the SSID, so this practice only forces the attacker to eavesdrop on the WLAN management messages instead of the beacon. Therefore, placing the SSID in the certificate does not make matters worse.
在实践中,SSID的披露很少受到关注。一些WLAN安全专家建议在接入点(AP)发出的信标中屏蔽SSID。其目的是使攻击者更难找到正确的目标AP。但是,其他WLAN管理消息包括SSID,因此这种做法只会迫使攻击者窃听WLAN管理消息,而不是信标。因此,将SSID放在证书中不会使情况变得更糟。
Certificate extensions and extended key usage values are identified by object identifiers (OIDs). Some of the OIDs used in this document are copied from X.509 [X.509]. Other OIDs were assigned from an arc delegated by the IANA. No further action by the IANA is necessary for this document or any anticipated updates.
证书扩展和扩展密钥使用值由对象标识符(OID)标识。本文档中使用的一些OID是从X.509[X.509]复制而来的。其他OID由IANA授权的arc分配。IANA无需对本文件或任何预期更新采取进一步行动。
[ACPROFILE] Farrell, S. and R. Housley, "An Internet Attribute Certificate Profile for Authorization", RFC 3281, April 2002.
[ACPROFILE]Farrell,S.和R.Housley,“用于授权的Internet属性证书配置文件”,RFC 3281,2002年4月。
[PROFILE] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
[简介]Housley,R.,Polk,W.,Ford,W.和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)简介”,RFC 32802002年4月。
[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[STDWORDS]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[X.208] CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1), 1988.
[X.208]CCITT。建议X.208:抽象语法符号一的规范(ASN.1),1988年。
[X.209] CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1), 1988.
[X.209]CCITT。建议X.209:抽象语法符号1(ASN.1)基本编码规则规范,1988年。
[X.509] ITU-T. Recommendation X.509: The Directory - Authentication Framework, 2000.
[X.509]ITU-T.建议X.509:目录认证框架,2000年。
[802.11] IEEE Std 802.11, "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", 1999.
[802.11]IEEE标准802.11,“无线局域网介质访问控制(MAC)和物理层(PHY)规范”,1999年。
[802.1X] IEEE Std 802.1X, "Port-based Network Access Control", 2001.
[802.1X]IEEE标准802.1X,“基于端口的网络访问控制”,2001年。
[EAP] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.
[EAP]Blunk,L.和J.Vollbrecht,“PPP可扩展认证协议(EAP)”,RFC 2284,1998年3月。
[EAP-TLS] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol", RFC 2716, October 1999.
[EAP-TLS]Aboba,B.和D.Simon,“PPP EAP TLS认证协议”,RFC 2716,1999年10月。
[PPP] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.
[PPP]辛普森,W.,编辑,“点对点协议(PPP)”,STD 51,RFC 1661994年7月。
[RADIUS1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RADIUS1]Rigney,C.,Willens,S.,Rubens,A.和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[RADIUS2] Congdon, P., Aboba, B., Smith, A., Zorn, G. and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RADIUS2]Congdon,P.,Aboba,B.,Smith,A.,Zorn,G.和J.Roese,“IEEE 802.1X远程认证拨入用户服务(RADIUS)使用指南”,RFC 35802003年9月。
WLANCertExtn
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-wlan-extns(24) }
WLANCertExtn
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-wlan-extns(24) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- OID Arcs
--弧线
id-pe OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) 1 }
id-pe OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) 1 }
id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) 3 }
id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) 3 }
id-aca OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) 10 }
id-aca OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) 10 }
-- Extended Key Usage Values
--扩展密钥使用值
id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 }
id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 }
id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 }
id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 }
-- Wireless LAN SSID Extension
--无线局域网SSID扩展
id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 }
id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 }
SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID
SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID
SSID ::= OCTET STRING (SIZE (1..32))
SSID ::= OCTET STRING (SIZE (1..32))
-- Wireless LAN SSID Attribute Certificate Attribute
-- Uses same syntax as the certificate extension: SSIDList
-- Wireless LAN SSID Attribute Certificate Attribute
-- Uses same syntax as the certificate extension: SSIDList
id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 6 }
id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 6 }
END
终止
Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA
Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,邮编20170
EMail: housley@vigilsec.com
EMail: housley@vigilsec.com
Tim Moore Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA
蒂姆·摩尔微软公司美国华盛顿州雷德蒙微软大道一号,邮编:98052
EMail: timmoore@microsoft.com
EMail: timmoore@microsoft.com
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。