[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[KEYPROV] Make DSKPP server authentication extensible

To: <andrea.doherty at rsa.com>, <SMachani at DIVERSINET.COM>, <keyprov at ietf.org>
Subject: [KEYPROV] Make DSKPP server authentication extensible
From: "Pei, Mingliang" <mpei at verisign.com>
Date: Mon, 27 Apr 2009 12:11:41 -0700
Delivered-to: keyprov at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-help: <mailto:keyprov-request@ietf.org?subject=help>
List-id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-post: <mailto:keyprov@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
Thread-index: AcnHaUNJz4Y0KyP4QXWCLgOS+b4Q5g==
Thread-topic: Make DSKPP server authentication extensible

Hi Andrea and Salah,

Currently, the DSKPP draft rigidly limits the server authentication data
in KeyProvServerFinished to a MAC value over some data content. However,
there are use cases where other form of authentication data may be
available from a service provider for its server, for example, external
authentication data from a delegated third party authentication server.
Similar to the extensibility that we add to the client authentication
data format, I suggest that we also make the server authentication XML
schema extensible such that a service provider implementation may
support their additional authentication data.

The schema change will be minor. We already have AuthenticationDataType
extensible. We only need to change the authentication data in
KeyProvServerFinished from type AuthenticationMacType to more general
AuthenticationDataType.

Schema change:

Current:

<xs:complexType name="KeyProvServerFinishedPDU" mixed="false">
    ...
    <xs:element name="Mac" type="dskpp:MacType"/>
    <xs:element name="AuthenticationData"
type="dskpp:AuthenticationMacType" minOccurs="0"/>
    ...
</xs:complexType>

To

<xs:complexType name="KeyProvServerFinishedPDU" mixed="false">
    ...
    <xs:element name="Mac" type="dskpp:MacType"/>
    <xs:element name="AuthenticationData"
type="dskpp:AuthenticationDataType" minOccurs="0"/>
    ...
</xs:complexType>

where

<xs:complexType name="AuthenticationDataType">
    <xs:sequence>
        <xs:element name="ClientID" type="dskpp:IdentifierType" />
        <xs:choice>
            <xs:element name="AuthenticationCodeMac"
type="dskpp:AuthenticationMacType"
            <xs:any namespace="##other" processContents="strict" />
        </xs:choice>
    </xs:sequence>
</xs:complexType>
 
Thoughts?

- Ming

Prev by Date: Re: [KEYPROV] New proposal od PSKC schema based on discussions at IETF and terminology alignment
Next by Date: [KEYPROV] DSKPP stateful 4-pass support and a variant to make it stateless
Previous by thread: [KEYPROV] ECDSA for the Universal Keystore
Next by thread: [KEYPROV] DSKPP stateful 4-pass support and a variant to make it stateless
Index(es):
- Date
- Thread