idnits 2.17.1 draft-ietf-kitten-krb-auth-indicator-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC7751, but the abstract doesn't seem to directly say this. It does mention RFC7751 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 3, 2017) is 2670 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force A. Jain 3 Internet-Draft Georgia Tech 4 Updates: 7751 (if approved) N. Kinder 5 Intended status: Standards Track N. McCallum 6 Expires: July 7, 2017 Red Hat, Inc. 7 January 3, 2017 9 Authentication Indicator in Kerberos Tickets 10 draft-ietf-kitten-krb-auth-indicator-05 12 Abstract 14 This document updates section "6. Assigned Numbers" of RFC 7751 in 15 order to specify an extension in the Kerberos protocol. It defines a 16 new authorization data type AD-AUTHENTICATION-INDICATOR. The purpose 17 of introducing this data type is to include an indicator of the 18 strength of a client's authentication in service tickets so that 19 application services can use it as an input into policy decisions. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on July 7, 2017. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Document Conventions . . . . . . . . . . . . . . . . . . . . 2 57 3. AD Type Specification . . . . . . . . . . . . . . . . . . . . 2 58 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 59 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 60 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 62 6.2. Informative References . . . . . . . . . . . . . . . . . 4 63 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 5 64 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 5 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 67 1. Introduction 69 Kerberos [RFC4120] allows secure interaction among users and services 70 over a network. It supports a variety of authentication mechanisms 71 using its pre-authentication framework [RFC6113]. The Kerberos 72 authentication service has been architected to support password-based 73 authentication as well as multi-factor authentication using one-time 74 password devices, public-key cryptography and other pre- 75 authentication schemes. Implementations that offer pre- 76 authentication mechanisms supporting significantly different 77 strengths of client authentication may choose to keep track of the 78 strength of the authentication that was used, for use as an input 79 into policy decisions. 81 This document specifies a new authorization data type to convey 82 authentication strength information to application services. 83 Elements of this type appear within an AD-CAMMAC [RFC7751] container. 85 2. Document Conventions 87 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in RFC 2119 [RFC2119]. 91 3. AD Type Specification 93 The KDC MAY include authorization data of ad-type 97, wrapped in AD- 94 CAMMAC, in initial credentials. The KDC MAY copy it from a ticket- 95 granting ticket into service tickets. 97 The corresponding ad-data field contains the DER encoding of the 98 following ASN.1 type: 100 AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String 102 Each UTF8String value is a short string that indicates that a 103 particular set of requirements was met during the initial 104 authentication. These strings are intended to be compared against 105 known values. They are not intended to store structured data. Each 106 string MUST be either: 108 * A URI which references a Level of Assurance Profile [RFC6711] 110 * A site-defined string, which MUST NOT contain a colon, whose 111 meaning is determined by the realm administrator. 113 Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST 114 be included in an AD-CAMMAC container so that their contents can be 115 verified as originating from the KDC. Elements of type AD- 116 AUTHENTICATION-INDICATOR MAY safely be ignored by applications and 117 KDCs that do not implement this element. 119 4. Security Considerations 121 Elements of type AD-AUTHENTICATION-INDICATOR are wrapped in AD-CAMMAC 122 containers. AD-CAMMAC supersedes AD-KDC-ISSUED, and allows both 123 application services and the KDC to verify the authenticity of the 124 contained authorization data. 126 KDC implementations MUST use AD-CAMMAC verifiers as described in the 127 the security considerations of RFC 7751 [RFC7751] to ensure that AD- 128 AUTHENTICATION-INDICATOR elements are not modified by an attacker. 129 Application servers MUST validate the AD-CAMMAC container before 130 making authorization decisions based on AD-AUTHENTICATION-INDICATOR 131 elements. Application servers MUST NOT make authorization decisions 132 based on AD-AUTHENTICATION-INDICATOR elements which appear outside of 133 AD-CAMMAC containers. 135 Using multiple strings in AD-AUTHENTICATION-INDICATOR may lead to 136 ambiguity when a service tries to make a decision based on the AD- 137 AUTHENTICATION-INDICATOR values. This ambiguity can be avoided if 138 indicator values are always used as a positive indication of certain 139 requirements being met during the initial authentication. For 140 example, if a "without-password" indicator is inserted whenever 141 authentication occurs without a password, a service might assume this 142 is an indication that a higher-strength client authentication 143 occurred. However, this indicator might also be inserted when no 144 authentication occurred at all (such as anonymous PKINIT). 146 Service evaluation of site-defined indicators MUST consider the realm 147 of original authentication in order to avoid cross-realm indicator 148 collision. Failure to enforce this property can result in invalid 149 authorization. 151 5. IANA Considerations 153 This document has no actions for IANA. 155 6. References 157 6.1. Normative References 159 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 160 Requirement Levels", BCP 14, RFC 2119, 161 DOI 10.17487/RFC2119, March 1997, 162 . 164 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 165 Kerberos Network Authentication Service (V5)", RFC 4120, 166 DOI 10.17487/RFC4120, July 2005, 167 . 169 [RFC6113] Hartman, S. and L. Zhu, "A Generalized Framework for 170 Kerberos Pre-Authentication", RFC 6113, 171 DOI 10.17487/RFC6113, April 2011, 172 . 174 [RFC7751] Sorce, S. and T. Yu, "Kerberos Authorization Data 175 Container Authenticated by Multiple Message Authentication 176 Codes (MACs)", RFC 7751, DOI 10.17487/RFC7751, March 2016, 177 . 179 6.2. Informative References 181 [RFC6711] Johansson, L., "An IANA Registry for Level of Assurance 182 (LoA) Profiles", RFC 6711, DOI 10.17487/RFC6711, August 183 2012, . 185 Appendix A. ASN.1 Module 187 KerberosV5AuthenticationIndicators { 188 iso(1) identified-organization(3) dod(6) internet(1) 189 security(5) kerberosV5(2) modules(4) 190 authentication-indicators(9) 191 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 193 AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String 195 END 197 Appendix B. Acknowledgements 199 Dmitri Pal (Red Hat) 200 Simo Sorce (Red Hat) 201 Greg Hudson (MIT) 203 Authors' Addresses 205 Anupam Jain 206 Georgia Tech 207 225 North Ave NW 208 Atlanta, GA 30332 209 USA 211 EMail: ajain323@gatech.edu 213 Nathan Kinder 214 Red Hat, Inc. 215 444 Castro St. 216 Suite 500 217 Mountain View, CA 94041 218 USA 220 EMail: nkinder@redhat.com 222 Nathaniel McCallum 223 Red Hat, Inc. 224 100 East Davie Street 225 Raleigh, NC 27601 226 USA 228 EMail: npmccallum@redhat.com