idnits 2.17.1 

draft-ietf-kitten-krb-auth-indicator-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([RFC4120]), which it
     shouldn't.  Please replace those with straight textual mentions of the
     documents in question.

  -- The draft header indicates that this document updates RFC4120, but the
     abstract doesn't seem to directly say this.  It does mention RFC4120
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

     (Using the creation date from RFC4120, updated by this document, for
     RFC5378 checks: 2002-02-27)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (September 28, 2016) is 2766 days in the past.  Is
     this intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: 'MS-SFU' is defined on line 168, but no explicit
     reference was found in the text


     Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Internet Engineering Task Force                                  A. Jain
3	Internet-Draft                                              Georgia Tech
4	Updates: 4120 (if approved)                                    N. Kinder
5	Intended status: Standards Track                             N. McCallum
6	Expires: April 1, 2017                                     Red Hat, Inc.
7	                                                      September 28, 2016

9	              Authentication Indicator in Kerberos Tickets
10	                draft-ietf-kitten-krb-auth-indicator-03

12	Abstract

14	   This document specifies an extension in the Kerberos protocol
15	   [RFC4120].  It defines a new authorization data type AD-
16	   AUTHENTICATION-INDICATOR.  The purpose of introducing this data type
17	   is to include an indicator of the strength of a client's
18	   authentication in service tickets so that application services can
19	   use it as an input into policy decisions.

21	Status of This Memo

23	   This Internet-Draft is submitted in full conformance with the
24	   provisions of BCP 78 and BCP 79.

26	   Internet-Drafts are working documents of the Internet Engineering
27	   Task Force (IETF).  Note that other groups may also distribute
28	   working documents as Internet-Drafts.  The list of current Internet-
29	   Drafts is at http://datatracker.ietf.org/drafts/current/.

31	   Internet-Drafts are draft documents valid for a maximum of six months
32	   and may be updated, replaced, or obsoleted by other documents at any
33	   time.  It is inappropriate to use Internet-Drafts as reference
34	   material or to cite them other than as "work in progress."

36	   This Internet-Draft will expire on April 1, 2017.

38	Copyright Notice

40	   Copyright (c) 2016 IETF Trust and the persons identified as the
41	   document authors.  All rights reserved.

43	   This document is subject to BCP 78 and the IETF Trust's Legal
44	   Provisions Relating to IETF Documents
45	   (http://trustee.ietf.org/license-info) in effect on the date of
46	   publication of this document.  Please review these documents
47	   carefully, as they describe your rights and restrictions with respect
48	   to this document.  Code Components extracted from this document must
49	   include Simplified BSD License text as described in Section 4.e of
50	   the Trust Legal Provisions and are provided without warranty as
51	   described in the Simplified BSD License.

53	Table of Contents

55	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
56	   2.  Document Conventions  . . . . . . . . . . . . . . . . . . . .   2
57	   3.  AD Type Specification . . . . . . . . . . . . . . . . . . . .   2
58	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
59	   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
60	     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
61	     5.2.  Informative References  . . . . . . . . . . . . . . . . .   4
62	   Appendix A.  ASN.1 Module . . . . . . . . . . . . . . . . . . . .   5
63	   Appendix B.  Acknowledgements . . . . . . . . . . . . . . . . . .   5
64	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

66	1.  Introduction

68	   Kerberos [RFC4120] allows secure interaction among users and services
69	   over a network.  It supports a variety of authentication mechanisms
70	   using its pre-authentication framework [RFC6113].  The Kerberos
71	   authentication service has been architected to support password-based
72	   authentication as well as multi-factor authentication using one-time
73	   password devices, public-key cryptography and other pre-
74	   authentication schemes.  Implementations that offer pre-
75	   authentication mechanisms supporting significantly different
76	   strengths of client authentication may choose to keep track of the
77	   strength of the authentication that was used, for use as an input
78	   into policy decisions.

80	   This document specifies a new authorization data type to convey
81	   authentication strength information to application services.
82	   Elements of this type MUST appear within an AD-CAMMAC [RFC7751]
83	   container.  This requirement exists to provide integrity protection
84	   from man-in-the-middle attacks.

86	2.  Document Conventions

88	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
89	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
90	   document are to be interpreted as described in RFC 2119 [RFC2119].

92	3.  AD Type Specification

94	   The KDC MAY include authorization data of ad-type 97, wrapped in AD-
95	   CAMMAC, in initial credentials.  The KDC MAY copy it from a ticket-
96	   granting ticket into service tickets.

98	   The corresponding ad-data field contains the DER encoding of the
99	   following ASN.1 type:

101	   AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String

103	   Each UTF8String value is a short string that indicates that a
104	   particular set of requirements was met during the initial
105	   authentication.  These strings are intended to be compared against
106	   known values.  They are not intended to store structured data.  Each
107	   string MUST be either:

109	   * A URI which references a Level of Assurance Profile [RFC6711]

111	   * A site-defined string, which MUST NOT contain a colon, whose
112	   meaning is determined by the realm administrator.

114	   Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST
115	   be included in an AD-CAMMAC container so that their contents can be
116	   verified as originating from the KDC.  Elements of type AD-
117	   AUTHENTICATION-INDICATOR MAY safely be ignored by applications and
118	   KDCs that do not implement this element.

120	4.  Security Considerations

122	   Elements of type AD-AUTHENTICATION-INDICATOR are wrapped in AD-CAMMAC
123	   containers.  AD-CAMMAC supersedes AD-KDC-ISSUED, and allows both
124	   application services and the KDC to verify the authenticity of the
125	   contained authorization data.

127	   KDC implementations MUST use AD-CAMMAC verifiers as described in the
128	   the security considerations of RFC 7751 [RFC7751] to ensure that AD-
129	   AUTHENTICATION-INDICATOR elements are not modified by an attacker.
130	   Application servers MUST validate the AD-CAMMAC container before
131	   making authorization decisions based on AD-AUTHENTICATION-INDICATOR
132	   elements.  Application servers MUST NOT make authorization decisions
133	   based on AD-AUTHENTICATION-INDICATOR elements which appear outside of
134	   AD-CAMMAC containers.

136	   Using multiple strings in AD-AUTHENTICATION-INDICATOR MAY lead to
137	   ambiguity when a service tries to make a decision based on the AD-
138	   AUTHENTICATION-INDICATOR values.  This ambiguity can be avoided if
139	   indicator values are always used as a positive indication of certain
140	   requirements being met during the initial authentication.

142	5.  References

144	5.1.  Normative References

146	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
147	              Requirement Levels", BCP 14, RFC 2119,
148	              DOI 10.17487/RFC2119, March 1997,
149	              <http://www.rfc-editor.org/info/rfc2119>.

151	   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
152	              Kerberos Network Authentication Service (V5)", RFC 4120,
153	              DOI 10.17487/RFC4120, July 2005,
154	              <http://www.rfc-editor.org/info/rfc4120>.

156	   [RFC6113]  Hartman, S. and L. Zhu, "A Generalized Framework for
157	              Kerberos Pre-Authentication", RFC 6113,
158	              DOI 10.17487/RFC6113, April 2011,
159	              <http://www.rfc-editor.org/info/rfc6113>.

161	   [RFC7751]  Sorce, S. and T. Yu, "Kerberos Authorization Data
162	              Container Authenticated by Multiple Message Authentication
163	              Codes (MACs)", RFC 7751, DOI 10.17487/RFC7751, March 2016,
164	              <http://www.rfc-editor.org/info/rfc7751>.

166	5.2.  Informative References

168	   [MS-SFU]   Microsoft, "Kerberos Protocol Extensions: Service for User
169	              and Constrained Delegation Protocol", January 2013,
170	              <http://msdn.microsoft.com/en-us/library/cc246071.aspx>.

172	   [RFC6711]  Johansson, L., "An IANA Registry for Level of Assurance
173	              (LoA) Profiles", RFC 6711, DOI 10.17487/RFC6711, August
174	              2012, <http://www.rfc-editor.org/info/rfc6711>.

176	Appendix A.  ASN.1 Module

178	   KerberosV5AuthenticationIndicators {
179	           iso(1) identified-organization(3) dod(6) internet(1)
180	           security(5) kerberosV5(2) modules(4)
181	           authentication-indicators(9)
182	   } DEFINITIONS EXPLICIT TAGS ::= BEGIN

184	   AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String

186	   END

188	Appendix B.  Acknowledgements

190	   Dmitri Pal (Red Hat)
191	   Simo Sorce (Red Hat)
192	   Greg Hudson (MIT)

194	Authors' Addresses

196	   Anupam Jain
197	   Georgia Tech
198	   225 North Ave NW
199	   Atlanta, GA  30332
200	   USA

202	   EMail: ajain323@gatech.edu

204	   Nathan Kinder
205	   Red Hat, Inc.
206	   444 Castro St.
207	   Suite 500
208	   Mountain View, CA  94041
209	   USA

211	   EMail: nkinder@redhat.com

213	   Nathaniel McCallum
214	   Red Hat, Inc.
215	   100 East Davie Street
216	   Raleigh, NC  27601
217	   USA

219	   EMail: npmccallum@redhat.com