idnits 2.17.1 draft-ietf-krb-wg-kdc-model-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 481. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 492. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 499. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 505. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 6, 2008) is 5923 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-08) exists of draft-ietf-krb-wg-kerberos-set-passwd-07 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 KERBEROS WORKING GROUP Johansson 3 Internet-Draft Stockholm university 4 Intended status: Standards Track February 6, 2008 5 Expires: August 9, 2008 7 An information model for Kerberos version 5 8 draft-ietf-krb-wg-kdc-model-01 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on August 9, 2008. 35 Copyright Notice 37 Copyright (C) The IETF Trust (2008). 39 Abstract 41 This document describes an information model for Kerberos version 5 42 from the point of view of an administrative service. There is no 43 standard for administrating a kerberos 5 KDC. This document 44 describes the services exposed by an administrative interface to a 45 KDC. 47 Table of Contents 49 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 50 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 3. How to interpret RFC2119 terms . . . . . . . . . . . . . . . . 5 52 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 53 5. Information model demarcation . . . . . . . . . . . . . . . . 7 54 6. Information model specification . . . . . . . . . . . . . . . 8 55 6.1. Principal . . . . . . . . . . . . . . . . . . . . . . . . 8 56 6.1.1. Principal: Attributes . . . . . . . . . . . . . . . . 8 57 6.1.2. Principal: Associations . . . . . . . . . . . . . . . 9 58 6.1.3. Principal: Remarks . . . . . . . . . . . . . . . . . . 9 59 6.2. KeySet . . . . . . . . . . . . . . . . . . . . . . . . . . 9 60 6.2.1. KeySet: Attributes . . . . . . . . . . . . . . . . . . 9 61 6.2.2. KeySet: Associations . . . . . . . . . . . . . . . . . 9 62 6.2.3. KeySet: Remarks . . . . . . . . . . . . . . . . . . . 10 63 6.3. Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 64 6.3.1. Key: Attributes . . . . . . . . . . . . . . . . . . . 10 65 6.3.2. Key: Associations . . . . . . . . . . . . . . . . . . 11 66 6.3.3. Key: Remarks . . . . . . . . . . . . . . . . . . . . . 11 67 6.4. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 11 68 6.4.1. Policy: Attributes . . . . . . . . . . . . . . . . . . 11 69 6.4.2. Mandatory-to-implement Policy . . . . . . . . . . . . 12 70 7. Implementation Scenarios . . . . . . . . . . . . . . . . . . . 13 71 7.1. LDAP backend to KDC . . . . . . . . . . . . . . . . . . . 13 72 7.2. LDAP frontend to KDC . . . . . . . . . . . . . . . . . . . 13 73 7.3. SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 74 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 75 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 76 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 77 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 78 10.2. Informative References . . . . . . . . . . . . . . . . . . 16 79 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 80 Intellectual Property and Copyright Statements . . . . . . . . . . 18 82 1. Requirements notation 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in [RFC2119]. 88 2. Introduction 90 The Kerberos version 5 authentication service described in [RFC4120] 91 describes how a Key Distribution Service (KDC) provides 92 authentication to clients. The standard does not stipulate how a KDC 93 is managed and several "kadmin" servers have evolved. This document 94 describes the services required to administrate a KDC and the 95 underlying information model assumed by a kadmin-type service. 97 The information model is written in terms of "attributes" and 98 "services" or "interfaces" but the use of these particular words MUST 99 NOT be taken to imply any particular modeling paradigm so that 100 neither an object oriented model or an LDAP schema is intended. The 101 author has attempted to describe in natural language the intended 102 semantics and syntax of the components of the model. An LDAP schema 103 (for instance) based on this model will be more precise in the 104 expression of the syntax while preserving the semantics of this 105 model. 107 Implementations of this document MAY decide to change the names used 108 (eg principalName). If so an implementation MUST provide a name to 109 name mapping to this document. 111 3. How to interpret RFC2119 terms 113 This document describes an information model for kerberos 5 but does 114 not directly describe any mapping onto a particular schema- or 115 modelling language. Hence an implementation of this model consists 116 of a mapping to such a language - eg an LDAP or SQL schema. The 117 precise interpretation of terms from [RFC2119] therefore require some 118 extra explanation. The terms MUST, MUST NOT, REQUIRED, SHALL, SHALL 119 NOT mean that an implementation MUST provide a feature but does not 120 mean that this feature MUST be REQUIRED by the implementation - eg an 121 attribute is available in an LDAP schema but marked as OPTIONAL. If 122 a feature must be implemented and REQUIRED this is made explicit in 123 this model. The term MAY, OPTIONAL and RECOMMENDED means that an 124 implementation MAY need to REQUIRE the feature due to the particular 125 nature of the schema/modelling language. In some cases this is 126 expressly forbidden by this model (feature X MUST NOT be REQUIRED by 127 an implementation). 129 Note that any implementation of this model SHOULD be published as an 130 RFC. 132 4. Acknowledgments 134 Love Hoernquist-Aestrand for important contributions. 136 5. Information model demarcation 138 The information model specified in the next chapter describes 139 objects, properties of those objects and relations between those 140 objects. These elements comprise an abstract view of the data 141 represented in a KDC. It is important to understand that the 142 information model is not a schema. In particular the way objects are 143 compared for equality beyond that which is implied by the 144 specification of a syntax is not part of this specification. Nor is 145 ordering specified between elements of a particular syntax. 147 Further work on Kerberos will undoubtedly prompt updates to this 148 information model to reflect changes in the functions performed by 149 the KDC. Such extensions to the information model MUST always use a 150 normative reference to the relevant RFCs detailing the change in KDC 151 function. 153 6. Information model specification 155 6.1. Principal 157 The fundamental entity stored in a KDC is the principal. The 158 principal is associated to keys and generalizes the "user" concept. 159 The principal MUST be implemented in full and MUST NOT be optional in 160 an implementation 162 6.1.1. Principal: Attributes 164 6.1.1.1. principalName 166 The principalName MUST uniquely identify the principal within the 167 administrative context of the KDC. The type of the principalName is 168 not described in this document. It is a unique identifier and can be 169 viewed as an opaque byte string which can be compared for equality. 170 The attribute SHOULD be single valued. If an implementation supports 171 multiple values it MUST treat one of the values as special and allow 172 it to be fetched as if it was a single value. 174 6.1.1.2. principalNotUsedBefore 176 The principal may not be used before this date. The syntax of the 177 attribute MUST be semantically equivalent with the standard ISO date 178 format. The attribute MUST be single valued. 180 6.1.1.3. principalNotUsedAfter 182 The principal may not be used after this date. The syntax of the 183 attribute MUST be semantically equivalent with the standard ISO date 184 format. The attribute MUST be single valued. 186 6.1.1.4. principalIsDisabled 188 A boolean attribute used to (temporarily) disable a principal. The 189 attribute MUST default to false. 191 6.1.1.5. principalAliases 193 This multivalued attribute contains an unordered set of aliases for 194 the principal. Each alias SHOULD be unique within the administrative 195 domain represented by the KDC. The syntax of an alias is an opaque 196 identifier which can be compared for equality. 198 6.1.2. Principal: Associations 200 Each principal MAY be associated with 1 or more KeySet and MAY be 201 associated with 1 or more Policies. The KeySet is represented as an 202 object in this model since it has attributes associated with it (the 203 key version number). In typical situations the principal is 204 associated with exactly 1 KeySet but implementations MUST NOT assume 205 this case, i.e an implemenation of this standard (e.g an LDAP schema) 206 MUST be able to handle the general case of multiple KeySet associated 207 with each principal. 209 6.1.3. Principal: Remarks 211 Traditionally a principal consists of a local-part and a realm 212 denoted in string form by local-part@REALM. The realm concept is 213 used to provide administrative boundaries and together with cross- 214 realm authentication provides scalability to Kerberos 5. However the 215 realm is not central to an administrative information model. For 216 instance the initialization or creation of a realm is equivalent to 217 creating a specific set of principals (krbtgt@REALM, etc) which is 218 covered by the model and services described in this document. A 219 realm is typically associated with policy covering (for instance) 220 keying and password management. The management of such policy and 221 their association to realms is beyond the scope of this document. 223 6.2. KeySet 225 A KeySet is a set of keys associated with exactly one principal. 226 This object and its associations MUST NOT be REQUIRED by an 227 implementation. It is expected that most implementations of this 228 standard will use the set/change password protocol for all aspects of 229 key management [I-D.ietf-krb-wg-kerberos-set-passwd]. This 230 information model only includes these objects for the sake of 231 completenes. 233 6.2.1. KeySet: Attributes 235 6.2.1.1. keySetVersionNumber 237 This is traditionally called the key version number (kvno). This is 238 a single valued attribute containing a positive integer. 240 6.2.2. KeySet: Associations 242 To each KeySet MUST be associated a set of 1 or more Keys. 244 6.2.3. KeySet: Remarks 246 The reason for separating the KeySet from the Principal is security. 247 The security of Kerberos 5 depends absolutely on the security of the 248 keys stored in the KDC. The KeySet type is provided to make this 249 clear and to make separation of keys from other parts of the model 250 clear. 252 Implementations of this standard (eg an LDAP schema) MUST make a 253 clear separation between the representation of KeySet from other 254 information objects. 256 6.3. Key 258 Implementations of this model MUST NOT REQUIRE keys to be 259 represented. 261 6.3.1. Key: Attributes 263 6.3.1.1. keyEncryptionType 265 The enctype SHOULD be represented as an enumeration of the enctypes 266 supported by the KDC. 268 6.3.1.2. keyValue 270 The binary representation of the key data. This MUST be a single 271 valued octet string. 273 6.3.1.3. keySaltValue 275 The binary representation of the key salt. This MUST be a single 276 valued octet string. 278 6.3.1.4. keyStringToKeyParameter 280 This MUST be a single valued octet string representing an opaque 281 parameter associated with the enctype. 283 6.3.1.5. keyNotUsedAfter 285 This key MUST NOT be used after this date. The syntax of the 286 attribute MUST be semantically equivalent with the standard ISO date 287 format. This MUST be a single-valued attribute. 289 6.3.1.6. keyNotUsedBefore 291 This key MUST NOT be used before this date. The syntax of the 292 attribute MUST be semantically equivalent with the standard ISO date 293 format. This MUST be a single-valued attribute. 295 6.3.1.7. keyIsDisabled 297 This is a boolean attribute which must be set to false by default. 298 If this attribute is true the key MUST NOT be used. This is used to 299 temporarily disable a key. 301 6.3.2. Key: Associations 303 None 305 6.3.3. Key: Remarks 307 The security of the keys is an absolute requirement for the operation 308 of Kerberos 5. If keys are implemented adequate protection from 309 unauthorized modification and disclosure MUST be available and 310 REQUIRED by the implementation. 312 6.4. Policy 314 Implementations SHOULD implement policy but MAY allow them to be 315 OPTIONAL. The Policy should be thought of as a 'typed hole'. i.e an 316 opaque binary value paired with an identifier of type of data 317 contained in the binary value. Both attributes (type and value) must 318 be present. 320 6.4.1. Policy: Attributes 322 6.4.1.1. policyIdentifier 324 The policyIdentifier MUST be unique within the local administrative 325 context and MUST be globally unique. Possible types of identifiers 326 include: 328 An Object Identifier (OID) 330 A URN 332 A UUID 334 The use of OIDs is recommended for this purpose. 336 6.4.1.2. policyIsCritical 338 This boolean attribute indicates that the KDC MUST be able to 339 correctly interpret and apply this policy for the key to be used. 341 6.4.1.3. policyContent 343 This is an optional single opaque binary value used to store a 344 representation of the policy. In general a policy cannot be fully 345 expressed using attribute-value pairs. The policyContent is OPTIONAL 346 in the sense that an implementation MAY use it to store an opaque 347 value for those policy-types which are not directly representable in 348 that implementation. 350 6.4.2. Mandatory-to-implement Policy 352 All implementations MUST be able to represent the policies listed in 353 this section. Implementations are not required to use the same 354 underlying data-representation for the policyContent binary value but 355 SHOULD use the same OIDs as the policyIdentifier. 357 6.4.2.1. Password Quality Policy 359 Password quality policy controls the requirements placed by the KDC 360 on new passwords. This policy SHOULD be identified by the OID . 362 6.4.2.2. Password Management Policy 364 Password management policy controls how passwords are changed. This 365 policy SHOULD be identified by the OID . 367 6.4.2.3. Keying Policy 369 A keying policy specifies the association of enctypes with new 370 principals, i.e when a principal is created one of the possibly many 371 applicable keying policies determine the set of keys to associate 372 with the principal. In general the expression of a keying policy may 373 require a Turing-complete language. This policy SHOULD be identified 374 by the OID . 376 7. Implementation Scenarios 378 There are several ways to implement an administrative service for 379 Kerberos 5 based on this information model. In this section we list 380 a few of them. 382 7.1. LDAP backend to KDC 384 Given an LDAP schema implementation of this information model it 385 would be possible to build an administrative service by backending 386 the KDC to a directory server where principals and keys are stored. 387 Using the security mechanisms available on the directory server keys 388 are protected from access by anyone apart from the KDC. 389 Administration of the principals, policy and other non-key data is 390 done through the directory server while the keys are modified using 391 the set/change password protocol 392 [I-D.ietf-krb-wg-kerberos-set-passwd]. 394 7.2. LDAP frontend to KDC 396 An alternative way to provide a directory interface to the KDC is to 397 implement an LDAP-frontend to the KDC which exposes all non-key 398 objects as entries and attributes. As in the example above all keys 399 are modified using the set/change password protocol 400 [I-D.ietf-krb-wg-kerberos-set-passwd]. In this scenario the 401 implementation would typically not use a traditional LDAP 402 implementation but treat LDAP as an access-protocol to data in the 403 native KDC database. 405 7.3. SOAP 407 Given an XML schema implementation of this information model it would 408 be possible to build a SOAP-interface to the KDC. This demonstrates 409 the value of creating an abstract information model which is mappable 410 to multiple schema representations. 412 8. Security Considerations 414 This document describes an abstract information model for Kerberos 5. 415 The Kerberos 5 protocol depends on the security of the keys stored in 416 the KDC. The model described here assumes that keys MUST NOT be 417 transported in the clear over the network and furthermore that keys 418 are treated as write-only attributes that SHALL only be modified 419 (using the administrative interface) by the change-password protocol 420 [I-D.ietf-krb-wg-kerberos-set-passwd]. 422 Exposing the object model of a KDC typically implies that objects can 423 be modified and/or deleted. In a KDC not all principals are created 424 equal, so that for instance deleting krbtgt/EXAMPLE.COM@EXAMPLE.COM 425 effectively disables the EXAMPLE.COM realm. Hence access control is 426 paramount to the security of any implementation. This document does 427 not (at the time of writing - leifj) mandate access control. This 428 only implies that access control is beyond the scope of the standard 429 information model, i.e that access control may not be accessible via 430 any protocol based on this model. If access control objects is 431 exposed via an extension to this model the presence of access control 432 may in itself provide points of attack by giving away information 433 about principals with elevated rights etc. etc. 435 9. IANA Considerations 437 None 439 10. References 441 10.1. Normative References 443 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 444 Requirement Levels", BCP 14, RFC 2119, March 1997. 446 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 447 Kerberos Network Authentication Service (V5)", RFC 4120, 448 July 2005. 450 10.2. Informative References 452 [I-D.ietf-krb-wg-kerberos-set-passwd] 453 Williams, N., "Kerberos Set/Change Key/Password Protocol 454 Version 2", draft-ietf-krb-wg-kerberos-set-passwd-07 (work 455 in progress), September 2007. 457 Author's Address 459 Leif Johansson 460 Stockholm university 461 Sektionen foer IT och Media 462 Stockholm SE-106 91 464 Email: leifj@it.su.se 465 URI: http://people.su.se/~leifj/ 467 Full Copyright Statement 469 Copyright (C) The IETF Trust (2008). 471 This document is subject to the rights, licenses and restrictions 472 contained in BCP 78, and except as set forth therein, the authors 473 retain all their rights. 475 This document and the information contained herein are provided on an 476 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 477 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 478 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 479 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 480 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 481 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 483 Intellectual Property 485 The IETF takes no position regarding the validity or scope of any 486 Intellectual Property Rights or other rights that might be claimed to 487 pertain to the implementation or use of the technology described in 488 this document or the extent to which any license under such rights 489 might or might not be available; nor does it represent that it has 490 made any independent effort to identify any such rights. Information 491 on the procedures with respect to rights in RFC documents can be 492 found in BCP 78 and BCP 79. 494 Copies of IPR disclosures made to the IETF Secretariat and any 495 assurances of licenses to be made available, or the result of an 496 attempt made to obtain a general license or permission for the use of 497 such proprietary rights by implementers or users of this 498 specification can be obtained from the IETF on-line IPR repository at 499 http://www.ietf.org/ipr. 501 The IETF invites any interested party to bring to its attention any 502 copyrights, patents or patent applications, or other proprietary 503 rights that may cover technology that may be required to implement 504 this standard. Please address the information to the IETF at 505 ietf-ipr@ietf.org. 507 Acknowledgment 509 Funding for the RFC Editor function is provided by the IETF 510 Administrative Support Activity (IASA).