| < draft-ietf-krb-wg-anon-11.txt | draft-ietf-krb-wg-anon-12.txt > | |||
|---|---|---|---|---|
| NETWORK WORKING GROUP L. Zhu | NETWORK WORKING GROUP L. Zhu | |||
| Internet-Draft P. Leach | Internet-Draft P. Leach | |||
| Updates: 4120, 4121 and 4556 Microsoft Corporation | Updates: 4120, 4121 and 4556 Microsoft Corporation | |||
| (if approved) S. Hartman | (if approved) S. Hartman | |||
| Intended status: Standards Track Painless Security | Intended status: Standards Track Painless Security | |||
| Expires: December 31, 2010 June 29, 2010 | Expires: March 3, 2011 August 30, 2010 | |||
| Anonymity Support for Kerberos | Anonymity Support for Kerberos | |||
| draft-ietf-krb-wg-anon-11 | draft-ietf-krb-wg-anon-12 | |||
| Abstract | Abstract | |||
| This document defines extensions to the Kerberos protocol to allow a | This document defines extensions to the Kerberos protocol to allow a | |||
| Kerberos client to securely communicate with a Kerberos application | Kerberos client to securely communicate with a Kerberos application | |||
| service without revealing its identity, or without revealing more | service without revealing its identity, or without revealing more | |||
| than its Kerberos realm. It also defines extensions which allow a | than its Kerberos realm. It also defines extensions which allow a | |||
| Kerberos client to obtain anonymous credentials without revealing its | Kerberos client to obtain anonymous credentials without revealing its | |||
| identity to the Kerberos Key Distribution Center (KDC). This | identity to the Kerberos Key Distribution Center (KDC). This | |||
| document updates RFC 4120, RFC 4121, and RFC 4556. | document updates RFC 4120, RFC 4121, and RFC 4556. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF). Note that other groups may also distribute | |||
| other groups may also distribute working documents as Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | This Internet-Draft will expire on March 3, 2011. | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on December 31, 2010. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the BSD License. | described in the Simplified BSD License. | |||
| This document may contain material from IETF Documents or IETF | This document may contain material from IETF Documents or IETF | |||
| Contributions published or made publicly available before November | Contributions published or made publicly available before November | |||
| 10, 2008. The person(s) controlling the copyright in some of this | 10, 2008. The person(s) controlling the copyright in some of this | |||
| material may not have granted the IETF Trust the right to allow | material may not have granted the IETF Trust the right to allow | |||
| modifications of such material outside the IETF Standards Process. | modifications of such material outside the IETF Standards Process. | |||
| Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 | |||
| 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 5 | 4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. Anonymity Support in AS Exchange . . . . . . . . . . . . . 5 | 4.1. Anonymity Support in AS Exchange . . . . . . . . . . . . . 6 | |||
| 4.1.1. Anonymous PKINIT . . . . . . . . . . . . . . . . . . . 6 | 4.1.1. Anonymous PKINIT . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Anonymity Support in TGS Exchange . . . . . . . . . . . . 7 | 4.2. Anonymity Support in TGS Exchange . . . . . . . . . . . . 8 | |||
| 4.3. Subsequent Exchanges and Protocol Actions Common to AS | 4.3. Subsequent Exchanges and Protocol Actions Common to AS | |||
| and TGS for Anonymity Support . . . . . . . . . . . . . . 9 | and TGS for Anonymity Support . . . . . . . . . . . . . . 10 | |||
| 5. Interoperability Requirements . . . . . . . . . . . . . . . . 10 | 5. Interoperability Requirements . . . . . . . . . . . . . . . . 11 | |||
| 6. GSS-API Implementation Notes . . . . . . . . . . . . . . . . . 10 | 6. GSS-API Implementation Notes . . . . . . . . . . . . . . . . . 11 | |||
| 7. PKINIT Client Contribution to the Ticket Session Key . . . . . 11 | 7. PKINIT Client Contribution to the Ticket Session Key . . . . . 12 | |||
| 7.1. Combinging Two protocol Keys . . . . . . . . . . . . . . . 12 | 7.1. Combinging Two protocol Keys . . . . . . . . . . . . . . . 13 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | 11.1. Normative References . . . . . . . . . . . . . . . . . . . 15 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . . 15 | 11.2. Informative References . . . . . . . . . . . . . . . . . . 16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Introduction | 1. Introduction | |||
| In certain situations, the Kerberos [RFC4120] client may wish to | In certain situations, the Kerberos [RFC4120] client may wish to | |||
| authenticate a server and/or protect communications without revealing | authenticate a server and/or protect communications without revealing | |||
| the client's own identity. For example, consider an application | the client's own identity. For example, consider an application | |||
| which provides read access to a research database, and which permits | which provides read access to a research database, and which permits | |||
| queries by arbitrary requestors. A client of such a service might | queries by arbitrary requestors. A client of such a service might | |||
| wish to authenticate the service, to establish trust in the | wish to authenticate the service, to establish trust in the | |||
| information received from it, but might not wish to disclose the | information received from it, but might not wish to disclose the | |||
| skipping to change at page 15, line 35 ¶ | skipping to change at page 15, line 35 ¶ | |||
| This document defines a new 'anonymous' Kerberos well-known name and | This document defines a new 'anonymous' Kerberos well-known name and | |||
| a new 'anonymous' Kerberos well-known realm based on [KRBNAM]. IANA | a new 'anonymous' Kerberos well-known realm based on [KRBNAM]. IANA | |||
| is requested to add these two values to the Kerberos naming | is requested to add these two values to the Kerberos naming | |||
| registries that are created in [KRBNAM]. | registries that are created in [KRBNAM]. | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [ASAX34] American Standards Institute, "American Standard Code for | ||||
| Information Interchange", ASA X3.4-1963, June 1963. | ||||
| [KRBNAM] Zhu, L., "Additional Kerberos Naming Constraints", | [KRBNAM] Zhu, L., "Additional Kerberos Naming Constraints", | |||
| draft-ietf-krb-wg-naming (work in progress), 2008. | draft-ietf-krb-wg-naming (work in progress), 2008. | |||
| [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", | [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", | |||
| RFC 1964, June 1996. | RFC 1964, June 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2743] Linn, J., "Generic Security Service Application Program | [RFC2743] Linn, J., "Generic Security Service Application Program | |||
| End of changes. 9 change blocks. | ||||
| 33 lines changed or deleted | 30 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||