idnits 2.17.1 

draft-ietf-krb-wg-ocsp-for-pkinit-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1.a on line 18.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 218.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 195.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 202.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 208.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement. 

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        This document is an Internet-Draft and is subject to all provisions of
        Section 3 of RFC 3667.

        By submitting this Internet-Draft, each author represents that any
        applicable patent or other IPR claims of which he or she is aware
        have been or will be disclosed, and any of which he or she
        becomes aware will be disclosed, in accordance with Section 6 of
        BCP 79.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (August 10, 2004) is 7197 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 2560 (Obsoleted by RFC 6960)


     Summary: 7 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	NETWORK WORKING GROUP                                             L. Zhu
2	Internet-Draft                                             K. Jaganathan
3	Expires: February 8, 2005                          Microsoft Corporation
4	                                                             N. Williams
5	                                                        Sun Microsystems
6	                                                         August 10, 2004

8	                        OCSP Support for PKINIT
9	                    draft-ietf-krb-wg-ocsp-for-pkinit-00

11	Status of this Memo

13	   This document is an Internet-Draft and is subject to all provisions
14	   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
15	   author represents that any applicable patent or other IPR claims of
16	   which he or she is aware have been or will be disclosed, and any of
17	   which he or she become aware will be disclosed, in accordance with
18	   RFC 3668.

20	   Internet-Drafts are working documents of the Internet Engineering
21	   Task Force (IETF), its areas, and its working groups.  Note that
22	   other groups may also distribute working documents as
23	   Internet-Drafts.

25	   Internet-Drafts are draft documents valid for a maximum of six months
26	   and may be updated, replaced, or obsoleted by other documents at any
27	   time.  It is inappropriate to use Internet-Drafts as reference
28	   material or to cite them other than as "work in progress."

30	   The list of current Internet-Drafts can be accessed at
31	   http://www.ietf.org/ietf/1id-abstracts.txt.

33	   The list of Internet-Draft Shadow Directories can be accessed at
34	   http://www.ietf.org/shadow.html.

36	   This Internet-Draft will expire on February 8, 2005.

38	Copyright Notice

40	   Copyright (C) The Internet Society (2004).

42	Abstract

44	   This document defines a mechanism to enable in-band transmission of
45	   OCSP responses.  These responses are used to verify the validity of
46	   the certificates used in PKINIT - the Kerberos Version 5 extension
47	   that provides for the use of public key cryptography.

49	Table of Contents

51	   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
52	   2.   Conventions Used in This Document  . . . . . . . . . . . . . . 4
53	   3.   Message Definition . . . . . . . . . . . . . . . . . . . . . . 5
54	   4.   Security Considerations  . . . . . . . . . . . . . . . . . . . 6
55	   5.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 7
56	   6.   References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
57	        Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 7
58	        Intellectual Property and Copyright Statements . . . . . . . . 9

60	1.  Introduction

62	   Online Certificate Status Protocol (OCSP) [RFC2560] enables
63	   applications to obtain timely information regarding the revocation
64	   status of a certificate.  Because OCSP responses are well-bounded and
65	   small in size, constrained clients may wish to use OCSP to check the
66	   validity of KDC certificates in order to avoid transmission of large
67	   Certificate Revocation Lists (CRLs) and therefore save bandwidth on
68	   constrained networks.

70	   This document defines a pre-authentication type [CLARIFICATIONS],
71	   where the client and the KDC MAY piggyback OCSP responses for
72	   certificates used in authentication exchanges, as defined in
73	   [PKINIT].

75	   By using this OPTIONAL extension, PKINIT clients and the KDC can
76	   maximize the reuse of cached OCSP responses.

78	2.  Conventions Used in This Document

80	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
81	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
82	   document are to be interpreted as described in [RFC2119].

84	3.  Message Definition

86	   A pre-authentication type identifier is defined for this mechanism:

88	              PA-PK-OCSP-RESPONSE              16

90	   The corresponding pre-authentication field contains OCSP data as
91	   follows:

93	          PA-PK-OCSP-DATA ::= SEQUENCE OF OcspResponse

95	          OcspResponse ::= OCTET STRING
96	                         -- contains a complete OCSP response,
97	                         -- defined in [RFC2560]

99	   The client MAY send OCSP responses for certificates used in
100	   PA-PK-AS-REQ via a PA-PK-OCSP-RESPONSE.

102	   The KDC that receives a PA-PK-OCSP-RESPONSE the SHOULD send a
103	   PA-PK-OCSP-RESPONSE in response.  The client can request a
104	   PA-PK-OCSP-RESPONSE by using an empty sequence in its request.

106	   Note the lack of integrity protection for the empty or missing OCSP
107	   response; lack of an expected OCSP response from the KDC for the
108	   KDC's certificates SHOULD be treated as an error by the client,
109	   unless it is configured otherwise.

111	   When using OCSP, the response is signed by the OCSP server, which is
112	   trusted by the receiver.  Depending on local policy, further
113	   verification of the validity of the OCSP servers MAY need to be done.

115	   The client and the KDC SHOULD ignore invalid OCSP responses received
116	   via this mechanism, and they MAY implement CRL processing logic as a
117	   fall-back position, if the OCSP responses received via this mechanism
118	   alone are not sufficient for the verification of certificate
119	   validity.  The client and/or the KDC MAY ignore a valid OCSP response
120	   and perform their own revocation status verification independently.

122	   The KDC MAY send a PA-PK-OCSP-RESPONSE when it does not receive a
123	   PA-PK-OCSP-RESPONSE from the client.

125	4.  Security Considerations

127	   The pre-authentication data in this document do not actually
128	   authenticate any principals, and MUST be used in conjunction with
129	   PKINIT.

131	   There is a downgrade attack against clients which want OCSP responses
132	   from the KDC for the KDC's certificates.  The clients, however, can
133	   treat the absence of valid OCSP responses as an error, based on their
134	   local configuration.

136	5.  IANA Considerations

138	   This document defines a new pre-authentication type for use with
139	   PKINIT to encode OCSP responses.  The official value for this padata
140	   identifier need to be acquired from IANA.

142	6  References

144	   [CLARIFICATIONS]
145	              Neuman, B., Yu, Y., Hartman, S. and K. Raeburn, "The
146	              Kerberos Network Authentication Service (V5)",
147	              draft-ietf-krb-wg-kerberos-clarifications, Work in
148	              progress.

150	   [PKINIT]   Tung, B. and B. Neuman, "Public Key Cryptography for
151	              Initial Authentication in Kerberos",
152	              draft-ietf-cat-kerberos-pk-init, Work in progress.

154	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
155	              Requirement Levels", BCP 14, RFC 2119, March 1997.

157	   [RFC2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
158	              Adams, "X.509 Internet Public Key Infrastructure Online
159	              Certificate Status Protocol - OCSP", RFC 2560, June 1999.

161	Authors' Addresses

163	   Larry Zhu
164	   Microsoft Corporation
165	   One Microsoft Way
166	   Redmond, WA  98052
167	   US

169	   EMail: lzhu@microsoft.com

171	   Karthik Jaganathan
172	   Microsoft Corporation
173	   One Microsoft Way
174	   Redmond, WA  98052
175	   US

177	   EMail: karthikj@microsoft.com
178	   Nicolas Williams
179	   Sun Microsystems
180	   5300 Riata Trace Ct
181	   Austin, TX  78727
182	   US

184	   EMail: Nicolas.Williams@sun.com

186	Intellectual Property Statement

188	   The IETF takes no position regarding the validity or scope of any
189	   Intellectual Property Rights or other rights that might be claimed to
190	   pertain to the implementation or use of the technology described in
191	   this document or the extent to which any license under such rights
192	   might or might not be available; nor does it represent that it has
193	   made any independent effort to identify any such rights.  Information
194	   on the procedures with respect to rights in RFC documents can be
195	   found in BCP 78 and BCP 79.

197	   Copies of IPR disclosures made to the IETF Secretariat and any
198	   assurances of licenses to be made available, or the result of an
199	   attempt made to obtain a general license or permission for the use of
200	   such proprietary rights by implementers or users of this
201	   specification can be obtained from the IETF on-line IPR repository at
202	   http://www.ietf.org/ipr.

204	   The IETF invites any interested party to bring to its attention any
205	   copyrights, patents or patent applications, or other proprietary
206	   rights that may cover technology that may be required to implement
207	   this standard.  Please address the information to the IETF at
208	   ietf-ipr@ietf.org.

210	Disclaimer of Validity

212	   This document and the information contained herein are provided on an
213	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
214	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
215	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
216	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
217	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
218	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

220	Copyright Statement

222	   Copyright (C) The Internet Society (2004).  This document is subject
223	   to the rights, licenses and restrictions contained in BCP 78, and
224	   except as set forth therein, the authors retain all their rights.

226	Acknowledgment

228	   This document was based on conversations among the authors, Jeffrey
229	   Altman, Sam Hartman, Martin Rex, and other members of the Kerberos
230	   working group.