idnits 2.17.1 draft-ietf-krb-wg-kdc-model-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 484. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 495. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 502. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 508. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 10, 2008) is 5768 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-08) exists of draft-ietf-krb-wg-kerberos-set-passwd-07 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 KERBEROS WORKING GROUP Johansson 3 Internet-Draft Stockholm university 4 Intended status: Standards Track July 10, 2008 5 Expires: January 11, 2009 7 An information model for Kerberos version 5 8 draft-ietf-krb-wg-kdc-model-02 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on January 11, 2009. 35 Abstract 37 This document describes an information model for Kerberos version 5 38 from the point of view of an administrative service. There is no 39 standard for administrating a kerberos 5 KDC. This document 40 describes the services exposed by an administrative interface to a 41 KDC. 43 Table of Contents 45 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 46 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 47 3. How to interpret RFC2119 terms . . . . . . . . . . . . . . . . 5 48 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 49 5. Information model demarcation . . . . . . . . . . . . . . . . 7 50 6. Information model specification . . . . . . . . . . . . . . . 8 51 6.1. Principal . . . . . . . . . . . . . . . . . . . . . . . . 8 52 6.1.1. Principal: Attributes . . . . . . . . . . . . . . . . 8 53 6.1.2. Principal: Associations . . . . . . . . . . . . . . . 9 54 6.1.3. Principal: Remarks . . . . . . . . . . . . . . . . . . 9 55 6.2. KeySet . . . . . . . . . . . . . . . . . . . . . . . . . . 9 56 6.2.1. KeySet: Attributes . . . . . . . . . . . . . . . . . . 9 57 6.2.2. KeySet: Associations . . . . . . . . . . . . . . . . . 9 58 6.2.3. KeySet: Remarks . . . . . . . . . . . . . . . . . . . 10 59 6.3. Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 60 6.3.1. Key: Attributes . . . . . . . . . . . . . . . . . . . 10 61 6.3.2. Key: Associations . . . . . . . . . . . . . . . . . . 11 62 6.3.3. Key: Remarks . . . . . . . . . . . . . . . . . . . . . 11 63 6.4. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 11 64 6.4.1. Policy: Attributes . . . . . . . . . . . . . . . . . . 11 65 6.4.2. Mandatory-to-implement Policy . . . . . . . . . . . . 12 66 7. Implementation Scenarios . . . . . . . . . . . . . . . . . . . 13 67 7.1. LDAP backend to KDC . . . . . . . . . . . . . . . . . . . 13 68 7.2. LDAP frontend to KDC . . . . . . . . . . . . . . . . . . . 13 69 7.3. SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 70 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 71 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 72 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 73 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 74 10.2. Informative References . . . . . . . . . . . . . . . . . . 16 75 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 76 Intellectual Property and Copyright Statements . . . . . . . . . . 18 78 1. Requirements notation 80 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 81 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 82 document are to be interpreted as described in [RFC2119]. 84 2. Introduction 86 The Kerberos version 5 authentication service described in [RFC4120] 87 describes how a Key Distribution Service (KDC) provides 88 authentication to clients. The standard does not stipulate how a KDC 89 is managed and several "kadmin" servers have evolved. This document 90 describes the services required to administrate a KDC and the 91 underlying information model assumed by a kadmin-type service. 93 The information model is written in terms of "attributes" and 94 "services" or "interfaces" but the use of these particular words MUST 95 NOT be taken to imply any particular modeling paradigm so that 96 neither an object oriented model or an LDAP schema is intended. The 97 author has attempted to describe in natural language the intended 98 semantics and syntax of the components of the model. An LDAP schema 99 (for instance) based on this model will be more precise in the 100 expression of the syntax while preserving the semantics of this 101 model. 103 Implementations of this document MAY decide to change the names used 104 (eg principalName). If so an implementation MUST provide a name to 105 name mapping to this document. 107 3. How to interpret RFC2119 terms 109 This document describes an information model for kerberos 5 but does 110 not directly describe any mapping onto a particular schema- or 111 modelling language. Hence an implementation of this model consists 112 of a mapping to such a language - eg an LDAP or SQL schema. The 113 precise interpretation of terms from [RFC2119] therefore require some 114 extra explanation. The terms MUST, MUST NOT, REQUIRED, SHALL, SHALL 115 NOT mean that an implementation MUST provide a feature but does not 116 mean that this feature MUST be REQUIRED by the implementation - eg an 117 attribute is available in an LDAP schema but marked as OPTIONAL. If 118 a feature must be implemented and REQUIRED this is made explicit in 119 this model. The term MAY, OPTIONAL and RECOMMENDED means that an 120 implementation MAY need to REQUIRE the feature due to the particular 121 nature of the schema/modelling language. In some cases this is 122 expressly forbidden by this model (feature X MUST NOT be REQUIRED by 123 an implementation). 125 Note that any implementation of this model SHOULD be published as an 126 RFC. 128 4. Acknowledgments 130 Love Hoernquist-Aestrand for important contributions. 132 5. Information model demarcation 134 The information model specified in the next chapter describes 135 objects, properties of those objects and relations between those 136 objects. These elements comprise an abstract view of the data 137 represented in a KDC. It is important to understand that the 138 information model is not a schema. In particular the way objects are 139 compared for equality beyond that which is implied by the 140 specification of a syntax is not part of this specification. Nor is 141 ordering specified between elements of a particular syntax. 143 Further work on Kerberos will undoubtedly prompt updates to this 144 information model to reflect changes in the functions performed by 145 the KDC. Such extensions to the information model MUST always use a 146 normative reference to the relevant RFCs detailing the change in KDC 147 function. 149 6. Information model specification 151 6.1. Principal 153 The fundamental entity stored in a KDC is the principal. The 154 principal is associated to keys and generalizes the "user" concept. 155 The principal MUST be implemented in full and MUST NOT be optional in 156 an implementation 158 6.1.1. Principal: Attributes 160 6.1.1.1. principalName 162 The principalName MUST uniquely identify the principal within the 163 administrative context of the KDC. The type of the principalName is 164 not described in this document. It is a unique identifier and can be 165 viewed as an opaque byte string which can be compared for equality. 166 The attribute SHOULD be single valued. If an implementation supports 167 multiple values it MUST treat one of the values as special and allow 168 it to be fetched as if it was a single value. 170 6.1.1.2. principalNotUsedBefore 172 The principal may not be used before this date. The syntax of the 173 attribute MUST be semantically equivalent with the standard ISO date 174 format. The attribute MUST be single valued. 176 6.1.1.3. principalNotUsedAfter 178 The principal may not be used after this date. The syntax of the 179 attribute MUST be semantically equivalent with the standard ISO date 180 format. The attribute MUST be single valued. 182 6.1.1.4. principalIsDisabled 184 A boolean attribute used to (temporarily) disable a principal. The 185 attribute MUST default to false. 187 6.1.1.5. principalAliases 189 This multivalued attribute contains an unordered set of aliases for 190 the principal. Each alias SHOULD be unique within the administrative 191 domain represented by the KDC. The syntax of an alias is an opaque 192 identifier which can be compared for equality. 194 6.1.2. Principal: Associations 196 Each principal MAY be associated with 1 or more KeySet and MAY be 197 associated with 1 or more Policies. The KeySet is represented as an 198 object in this model since it has attributes associated with it (the 199 key version number). In typical situations the principal is 200 associated with exactly 1 KeySet but implementations MUST NOT assume 201 this case, i.e an implemenation of this standard (e.g an LDAP schema) 202 MUST be able to handle the general case of multiple KeySet associated 203 with each principal. 205 6.1.3. Principal: Remarks 207 Traditionally a principal consists of a local-part and a realm 208 denoted in string form by local-part@REALM. The realm concept is 209 used to provide administrative boundaries and together with cross- 210 realm authentication provides scalability to Kerberos 5. However the 211 realm is not central to an administrative information model. For 212 instance the initialization or creation of a realm is equivalent to 213 creating a specific set of principals (krbtgt@REALM, etc) which is 214 covered by the model and services described in this document. A 215 realm is typically associated with policy covering (for instance) 216 keying and password management. The management of such policy and 217 their association to realms is beyond the scope of this document. 219 6.2. KeySet 221 A KeySet is a set of keys associated with exactly one principal. 222 This object and its associations MUST NOT be REQUIRED by an 223 implementation. It is expected that most implementations of this 224 standard will use the set/change password protocol for all aspects of 225 key management [I-D.ietf-krb-wg-kerberos-set-passwd]. This 226 information model only includes these objects for the sake of 227 completenes. 229 6.2.1. KeySet: Attributes 231 6.2.1.1. keySetVersionNumber 233 This is traditionally called the key version number (kvno). This is 234 a single valued attribute containing a positive integer. 236 6.2.2. KeySet: Associations 238 To each KeySet MUST be associated a set of 1 or more Keys. 240 6.2.3. KeySet: Remarks 242 The reason for separating the KeySet from the Principal is security. 243 The security of Kerberos 5 depends absolutely on the security of the 244 keys stored in the KDC. The KeySet type is provided to make this 245 clear and to make separation of keys from other parts of the model 246 clear. 248 Implementations of this standard (eg an LDAP schema) MUST make a 249 clear separation between the representation of KeySet from other 250 information objects. 252 6.3. Key 254 Implementations of this model MUST NOT REQUIRE keys to be 255 represented. 257 6.3.1. Key: Attributes 259 6.3.1.1. keyEncryptionType 261 The enctype SHOULD be represented as an enumeration of the enctypes 262 supported by the KDC. 264 6.3.1.2. keyValue 266 The binary representation of the key data. This MUST be a single 267 valued octet string. 269 6.3.1.3. keySaltValue 271 The binary representation of the key salt. This MUST be a single 272 valued octet string. 274 6.3.1.4. keyStringToKeyParameter 276 This MUST be a single valued octet string representing an opaque 277 parameter associated with the enctype. 279 6.3.1.5. keyNotUsedAfter 281 This key MUST NOT be used after this date. The syntax of the 282 attribute MUST be semantically equivalent with the standard ISO date 283 format. This MUST be a single-valued attribute. 285 6.3.1.6. keyNotUsedBefore 287 This key MUST NOT be used before this date. The syntax of the 288 attribute MUST be semantically equivalent with the standard ISO date 289 format. This MUST be a single-valued attribute. 291 6.3.1.7. keyIsDisabled 293 This is a boolean attribute which must be set to false by default. 294 If this attribute is true the key MUST NOT be used. This is used to 295 temporarily disable a key. 297 6.3.2. Key: Associations 299 None 301 6.3.3. Key: Remarks 303 The security of the keys is an absolute requirement for the operation 304 of Kerberos 5. If keys are implemented adequate protection from 305 unauthorized modification and disclosure MUST be available and 306 REQUIRED by the implementation. 308 6.4. Policy 310 Implementations SHOULD implement policy but MAY allow them to be 311 OPTIONAL. The Policy should be thought of as a 'typed hole'. i.e an 312 opaque binary value paired with an identifier of type of data 313 contained in the binary value. Both attributes (type and value) must 314 be present. 316 6.4.1. Policy: Attributes 318 6.4.1.1. policyIdentifier 320 The policyIdentifier MUST be unique within the local administrative 321 context and MUST be globally unique. Possible types of identifiers 322 include: 324 An Object Identifier (OID) 326 A URN 328 A UUID 330 The use of OIDs is recommended for this purpose. 332 6.4.1.2. policyIsCritical 334 This boolean attribute indicates that the KDC MUST be able to 335 correctly interpret and apply this policy for the key to be used. 337 6.4.1.3. policyContent 339 This is an optional single opaque binary value used to store a 340 representation of the policy. In general a policy cannot be fully 341 expressed using attribute-value pairs. The policyContent is OPTIONAL 342 in the sense that an implementation MAY use it to store an opaque 343 value for those policy-types which are not directly representable in 344 that implementation. 346 6.4.1.4. policyUse 348 This is an optional single enumerated string value used to describe 349 the applicability of the policy. Implementations SHOULD provide this 350 attribute and MUST (if the attribute is implemented) describe the 351 enumerated set of possible values. 353 6.4.2. Mandatory-to-implement Policy 355 All implementations MUST be able to represent the policies listed in 356 this section. Implementations are not required to use the same 357 underlying data-representation for the policyContent binary value but 358 SHOULD use the same OIDs as the policyIdentifier. 360 6.4.2.1. Password Quality Policy 362 Password quality policy controls the requirements placed by the KDC 363 on new passwords. This policy SHOULD be identified by the OID . 365 6.4.2.2. Password Management Policy 367 Password management policy controls how passwords are changed. This 368 policy SHOULD be identified by the OID . 370 6.4.2.3. Keying Policy 372 A keying policy specifies the association of enctypes with new 373 principals, i.e when a principal is created one of the possibly many 374 applicable keying policies determine the set of keys to associate 375 with the principal. In general the expression of a keying policy may 376 require a Turing-complete language. This policy SHOULD be identified 377 by the OID . 379 7. Implementation Scenarios 381 There are several ways to implement an administrative service for 382 Kerberos 5 based on this information model. In this section we list 383 a few of them. 385 7.1. LDAP backend to KDC 387 Given an LDAP schema implementation of this information model it 388 would be possible to build an administrative service by backending 389 the KDC to a directory server where principals and keys are stored. 390 Using the security mechanisms available on the directory server keys 391 are protected from access by anyone apart from the KDC. 392 Administration of the principals, policy and other non-key data is 393 done through the directory server while the keys are modified using 394 the set/change password protocol 395 [I-D.ietf-krb-wg-kerberos-set-passwd]. 397 7.2. LDAP frontend to KDC 399 An alternative way to provide a directory interface to the KDC is to 400 implement an LDAP-frontend to the KDC which exposes all non-key 401 objects as entries and attributes. As in the example above all keys 402 are modified using the set/change password protocol 403 [I-D.ietf-krb-wg-kerberos-set-passwd]. In this scenario the 404 implementation would typically not use a traditional LDAP 405 implementation but treat LDAP as an access-protocol to data in the 406 native KDC database. 408 7.3. SOAP 410 Given an XML schema implementation of this information model it would 411 be possible to build a SOAP-interface to the KDC. This demonstrates 412 the value of creating an abstract information model which is mappable 413 to multiple schema representations. 415 8. Security Considerations 417 This document describes an abstract information model for Kerberos 5. 418 The Kerberos 5 protocol depends on the security of the keys stored in 419 the KDC. The model described here assumes that keys MUST NOT be 420 transported in the clear over the network and furthermore that keys 421 are treated as write-only attributes that SHALL only be modified 422 (using the administrative interface) by the change-password protocol 423 [I-D.ietf-krb-wg-kerberos-set-passwd]. 425 Exposing the object model of a KDC typically implies that objects can 426 be modified and/or deleted. In a KDC not all principals are created 427 equal, so that for instance deleting krbtgt/EXAMPLE.COM@EXAMPLE.COM 428 effectively disables the EXAMPLE.COM realm. Hence access control is 429 paramount to the security of any implementation. This document does 430 not (at the time of writing - leifj) mandate access control. This 431 only implies that access control is beyond the scope of the standard 432 information model, i.e that access control may not be accessible via 433 any protocol based on this model. If access control objects is 434 exposed via an extension to this model the presence of access control 435 may in itself provide points of attack by giving away information 436 about principals with elevated rights etc. etc. 438 9. IANA Considerations 440 None 442 10. References 444 10.1. Normative References 446 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 447 Requirement Levels", BCP 14, RFC 2119, March 1997. 449 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 450 Kerberos Network Authentication Service (V5)", RFC 4120, 451 July 2005. 453 10.2. Informative References 455 [I-D.ietf-krb-wg-kerberos-set-passwd] 456 Williams, N., "Kerberos Set/Change Key/Password Protocol 457 Version 2", draft-ietf-krb-wg-kerberos-set-passwd-07 (work 458 in progress), September 2007. 460 Author's Address 462 Leif Johansson 463 Stockholm university 464 Sektionen foer IT och Media 465 Stockholm SE-106 91 467 Email: leifj@it.su.se 468 URI: http://people.su.se/~leifj/ 470 Full Copyright Statement 472 Copyright (C) The IETF Trust (2008). 474 This document is subject to the rights, licenses and restrictions 475 contained in BCP 78, and except as set forth therein, the authors 476 retain all their rights. 478 This document and the information contained herein are provided on an 479 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 480 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 481 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 482 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 483 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 484 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 486 Intellectual Property 488 The IETF takes no position regarding the validity or scope of any 489 Intellectual Property Rights or other rights that might be claimed to 490 pertain to the implementation or use of the technology described in 491 this document or the extent to which any license under such rights 492 might or might not be available; nor does it represent that it has 493 made any independent effort to identify any such rights. Information 494 on the procedures with respect to rights in RFC documents can be 495 found in BCP 78 and BCP 79. 497 Copies of IPR disclosures made to the IETF Secretariat and any 498 assurances of licenses to be made available, or the result of an 499 attempt made to obtain a general license or permission for the use of 500 such proprietary rights by implementers or users of this 501 specification can be obtained from the IETF on-line IPR repository at 502 http://www.ietf.org/ipr. 504 The IETF invites any interested party to bring to its attention any 505 copyrights, patents or patent applications, or other proprietary 506 rights that may cover technology that may be required to implement 507 this standard. Please address the information to the IETF at 508 ietf-ipr@ietf.org.