idnits 2.17.1 

draft-ietf-kitten-krb-auth-indicator-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([RFC4120]), which it
     shouldn't.  Please replace those with straight textual mentions of the
     documents in question.

  -- The draft header indicates that this document updates RFC4120, but the
     abstract doesn't seem to directly say this.  It does mention RFC4120
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

     (Using the creation date from RFC4120, updated by this document, for
     RFC5378 checks: 2002-02-27)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (May 16, 2016) is 2895 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: 'MS-SFU' is defined on line 163, but no explicit
     reference was found in the text


     Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Internet Engineering Task Force                                  A. Jain
3	Internet-Draft                                              Georgia Tech
4	Updates: 4120 (if approved)                                    N. Kinder
5	Intended status: Standards Track                             N. McCallum
6	Expires: November 17, 2016                                 Red Hat, Inc.
7	                                                            May 16, 2016

9	              Authentication Indicator in Kerberos Tickets
10	                draft-ietf-kitten-krb-auth-indicator-02

12	Abstract

14	   This document specifies an extension in the Kerberos protocol
15	   [RFC4120].  It defines a new authorization data type AD-
16	   AUTHENTICATION-INDICATOR.  The purpose of introducing this data type
17	   is to include an indicator of the strength of a client's
18	   authentication in the service tickets so that application services
19	   can use it as an input into policy decisions.

21	Status of This Memo

23	   This Internet-Draft is submitted in full conformance with the
24	   provisions of BCP 78 and BCP 79.

26	   Internet-Drafts are working documents of the Internet Engineering
27	   Task Force (IETF).  Note that other groups may also distribute
28	   working documents as Internet-Drafts.  The list of current Internet-
29	   Drafts is at http://datatracker.ietf.org/drafts/current/.

31	   Internet-Drafts are draft documents valid for a maximum of six months
32	   and may be updated, replaced, or obsoleted by other documents at any
33	   time.  It is inappropriate to use Internet-Drafts as reference
34	   material or to cite them other than as "work in progress."

36	   This Internet-Draft will expire on November 17, 2016.

38	Copyright Notice

40	   Copyright (c) 2016 IETF Trust and the persons identified as the
41	   document authors.  All rights reserved.

43	   This document is subject to BCP 78 and the IETF Trust's Legal
44	   Provisions Relating to IETF Documents
45	   (http://trustee.ietf.org/license-info) in effect on the date of
46	   publication of this document.  Please review these documents
47	   carefully, as they describe your rights and restrictions with respect
48	   to this document.  Code Components extracted from this document must
49	   include Simplified BSD License text as described in Section 4.e of
50	   the Trust Legal Provisions and are provided without warranty as
51	   described in the Simplified BSD License.

53	Table of Contents

55	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
56	   2.  Document Conventions  . . . . . . . . . . . . . . . . . . . .   2
57	   3.  AD Type Specification . . . . . . . . . . . . . . . . . . . .   2
58	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
59	   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
60	     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
61	     5.2.  Informative References  . . . . . . . . . . . . . . . . .   4
62	   Appendix A.  ASN.1 Module . . . . . . . . . . . . . . . . . . . .   4
63	   Appendix B.  Acknowledgements . . . . . . . . . . . . . . . . . .   4

65	1.  Introduction

67	   Kerberos [RFC4120] allows secure interaction among users and services
68	   over a network.  It supports a variety of authentication mechanisms
69	   using its pre-authentication framework [RFC6113].  The Kerberos
70	   authentication service has been architected to support password based
71	   authentication as well as multi-factor authentication using one-time
72	   password devices or public key cryptography.  Implementations that
73	   have pre-authentication mechanisms offering significantly different
74	   strengths of client authentication may choose to keep track of the
75	   strength of the authentication used as an input into policy
76	   decisions.

78	   This document specifies a new authorization data type to convey
79	   authentication strength to application services.  Elements of this
80	   type appear within an AD-CAMMAC [RFC7751] container.

82	2.  Document Conventions

84	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
85	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
86	   document are to be interpreted as described in RFC 2119 [RFC2119].

88	3.  AD Type Specification

90	   The KDC MAY include the following authorization data element, wrapped
91	   in AD-CAMMAC, in initial credentials, and copy it from a ticket-
92	   granting ticket into service tickets:

94	   AD-AUTHENTICATION-INDICATOR 97
95	   The corresponding ad-data field contains the DER encoding of the
96	   following ASN.1 type:

98	   AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String

100	   Each UTF8String value is a short string that indicates that a
101	   particular set of requirements was met during the initial
102	   authentication.  These strings are intended to be compared against
103	   known values.  They are not intended to store structured data.  These
104	   strings MAY be site-defined strings that do not contain a colon such
105	   as the name of the Pre-Authentication mechanism used, or
106	   alternatively URIs that reference a Level of Assurance Profile
107	   [RFC6711].

109	   Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST
110	   be included in an AD-CAMMAC container so that their contents can be
111	   verified as originating from the KDC.  Elements of type AD-
112	   AUTHENTICATION-INDICATOR MAY safely be ignored by applications and
113	   KDCs that do not implement this element.

115	4.  Security Considerations

117	   Elements of type AD-AUTHENTICATION-INDICATOR are wrapped in AD-CAMMAC
118	   containers.  AD-CAMMAC supersedes AD-KDC-ISSUED, and allows both
119	   application services and the KDC to verify the authenticity of the
120	   contained authorization data.

122	   KDC implementations MUST use AD-CAMMAC verifiers as described in the
123	   the security considerations of RFC 7751 [RFC7751] to ensure that AD-
124	   AUTHENTICATION-INDICATOR elements are not modified by an attacker.
125	   Application servers MUST validate the AD-CAMMAC container before
126	   making authorization decisions based on AD-AUTHENTICATION-INDICATOR
127	   elements.  Application servers MUST NOT make authorization decisions
128	   based on AD-AUTHENTICATION-INDICATOR elements which appear outside of
129	   AD-CAMMAC containers.

131	   Using multiple strings in AD-AUTHENTICATION-INDICATOR MAY lead to
132	   ambiguity when a service tries to make a decision based on the AD-
133	   AUTHENTICATION-INDICATOR values.  This ambiguity can be avoided if
134	   indicator values are always used as a positive indication of certain
135	   requirements being met during the initial authentication.

137	5.  References

139	5.1.  Normative References

141	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
142	              Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
143	              RFC2119, March 1997,
144	              <http://www.rfc-editor.org/info/rfc2119>.

146	   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
147	              Kerberos Network Authentication Service (V5)", RFC 4120,
148	              DOI 10.17487/RFC4120, July 2005,
149	              <http://www.rfc-editor.org/info/rfc4120>.

151	   [RFC6113]  Hartman, S. and L. Zhu, "A Generalized Framework for
152	              Kerberos Pre-Authentication", RFC 6113, DOI 10.17487/
153	              RFC6113, April 2011,
154	              <http://www.rfc-editor.org/info/rfc6113>.

156	   [RFC7751]  Sorce, S. and T. Yu, "Kerberos Authorization Data
157	              Container Authenticated by Multiple Message Authentication
158	              Codes (MACs)", RFC 7751, DOI 10.17487/RFC7751, March 2016,
159	              <http://www.rfc-editor.org/info/rfc7751>.

161	5.2.  Informative References

163	   [MS-SFU]   Microsoft, "Kerberos Protocol Extensions: Service for User
164	              and Constrained Delegation Protocol", January 2013,
165	              <http://msdn.microsoft.com/en-us/library/cc246071.aspx>.

167	   [RFC6711]  Johansson, L., "An IANA Registry for Level of Assurance
168	              (LoA) Profiles", RFC 6711, DOI 10.17487/RFC6711, August
169	              2012, <http://www.rfc-editor.org/info/rfc6711>.

171	Appendix A.  ASN.1 Module

173	   KerberosV5AuthenticationIndicators {
174	           iso(1) identified-organization(3) dod(6) internet(1)
175	           security(5) kerberosV5(2) modules(4)
176	           authentication-indicators(9)
177	   } DEFINITIONS EXPLICIT TAGS ::= BEGIN

179	   AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String

181	   END

183	Appendix B.  Acknowledgements

185	   Dmitri Pal (Red Hat)
186	   Simo Sorce (Red Hat)
187	   Greg Hudson (MIT)

189	Authors' Addresses

191	   Anupam Jain
192	   Georgia Tech
193	   225 North Ave NW
194	   Atlanta, GA  30332
195	   USA

197	   EMail: ajain323@gatech.edu

199	   Nathan Kinder
200	   Red Hat, Inc.
201	   444 Castro St.
202	   Suite 500
203	   Mountain View, CA  94041
204	   USA

206	   EMail: nkinder@redhat.com

208	   Nathaniel McCallum
209	   Red Hat, Inc.
210	   100 East Davie Street
211	   Raleigh, NC  27601
212	   USA

214	   EMail: npmccallum@redhat.com