idnits 2.17.1 

draft-ietf-krb-wg-ocsp-for-pkinit-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1.a on line 19.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 257.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 234.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 241.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 247.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement. 

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        This document is an Internet-Draft and is subject to all provisions of
        Section 3 of RFC 3667.

        By submitting this Internet-Draft, each author represents that any
        applicable patent or other IPR claims of which he or she is aware
        have been or will be disclosed, and any of which he or she
        becomes aware will be disclosed, in accordance with Section 6 of
        BCP 79.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (January 31, 2005) is 7025 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'X60' is mentioned on line 98, but not defined

  == Unused Reference: 'X690' is defined on line 189, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2560 (Obsoleted by RFC 6960)

  -- Possible downref: Non-RFC (?) normative reference: ref. 'X690'


     Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	NETWORK WORKING GROUP                                             L. Zhu
3	Internet-Draft                                             K. Jaganathan
4	Expires: August 4, 2005                            Microsoft Corporation
5	                                                             N. Williams
6	                                                        Sun Microsystems
7	                                                        January 31, 2005

9	                        OCSP Support for PKINIT
10	                   draft-ietf-krb-wg-ocsp-for-pkinit-04

12	Status of this Memo

14	   This document is an Internet-Draft and is subject to all provisions
15	   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
16	   author represents that any applicable patent or other IPR claims of
17	   which he or she is aware have been or will be disclosed, and any of
18	   which he or she become aware will be disclosed, in accordance with
19	   RFC 3668.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF), its areas, and its working groups.  Note that
23	   other groups may also distribute working documents as
24	   Internet-Drafts.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   The list of current Internet-Drafts can be accessed at
32	   http://www.ietf.org/ietf/1id-abstracts.txt.

34	   The list of Internet-Draft Shadow Directories can be accessed at
35	   http://www.ietf.org/shadow.html.

37	   This Internet-Draft will expire on August 4, 2005.

39	Copyright Notice

41	   Copyright (C) The Internet Society (2005).

43	Abstract

45	   This document defines a mechanism to enable in-band transmission of
46	   Online Certificate Status Protocol (OCSP) responses in the Kerberos
47	   network authentication protocol.  These responses are used to verify
48	   the validity of the certificates used in PKINIT - the Kerberos
49	   Version 5 extension that provides for the use of public key
50	   cryptography.

52	Table of Contents

54	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
55	   2.  Conventions Used in This Document  . . . . . . . . . . . . . .  3
56	   3.  Message Definition . . . . . . . . . . . . . . . . . . . . . .  3
57	   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  4
58	   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  5
59	   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  5
60	   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  5
61	     7.1   Normative References . . . . . . . . . . . . . . . . . . .  5
62	     7.2   Informative References . . . . . . . . . . . . . . . . . .  5
63	       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  5
64	       Intellectual Property and Copyright Statements . . . . . . . .  7

66	1.  Introduction

68	   Online Certificate Status Protocol (OCSP) [RFC2560] enables
69	   applications to obtain timely information regarding the revocation
70	   status of a certificate.  Because OCSP responses are well-bounded and
71	   small in size, constrained clients may wish to use OCSP to check the
72	   validity of the certificates for Kerberos Key Distribution Center
73	   (KDC) in order to avoid transmission of large Certificate Revocation
74	   Lists (CRLs) and therefore save bandwidth on constrained networks
75	   [OCSP-PROFILE].

77	   This document defines a pre-authentication type [CLARIFICATIONS],
78	   where the client and the KDC MAY piggyback OCSP responses for
79	   certificates used in authentication exchanges, as defined in
80	   [PKINIT].

82	   By using this OPTIONAL extension, PKINIT clients and the KDC can
83	   maximize the reuse of cached OCSP responses.

85	2.  Conventions Used in This Document

87	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
88	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
89	   document are to be interpreted as described in [RFC2119].

91	3.  Message Definition

93	   A pre-authentication type identifier is defined for this mechanism:

95	              PA-PK-OCSP-RESPONSE              16

97	   The corresponding padata-value field [CLARIFICATIONS] contains the
98	   DER [X60] encoding of the following ASN.1 type:

100	          PKOcspData ::= SEQUENCE OF OcspResponse

102	          OcspResponse ::= OCTET STRING
103	                         -- contains a complete OCSP response,
104	                         -- defined in [RFC2560]

106	   The client MAY send OCSP responses for certificates used in
107	   PA-PK-AS-REQ [PKINIT] via a PA-PK-OCSP-RESPONSE.

109	   The KDC that receives a PA-PK-OCSP-RESPONSE then SHOULD send a
110	   PA-PK-OCSP-RESPONSE containing OCSP responses for certificates used
111	   in the KDC's PA-PK-AS-REP.  The client can request a
112	   PA-PK-OCSP-RESPONSE by using a PKOcspData containing an empty
113	   sequence.

115	   The KDC MAY send a PA-PK-OCSP-RESPONSE when it does not receive a
116	   PA-PK-OCSP-RESPONSE from the client.

118	   The PA-PK-OCSP-RESPONSE sent by the KDC contains OCSP responses for
119	   certificates used in PA-PK-AS-REP [PKINIT].

121	   Note the lack of integrity protection for the empty or missing OCSP
122	   response; lack of an expected OCSP response from the KDC for the
123	   KDC's certificates SHOULD be treated as an error by the client,
124	   unless it is configured otherwise.

126	   When using OCSP, the response is signed by the OCSP server, which is
127	   trusted by the receiver.  Depending on local policy, further
128	   verification of the validity of the OCSP servers may be needed

130	   The client and the KDC SHOULD ignore invalid OCSP responses received
131	   via this mechanism, and they MAY implement CRL processing logic as a
132	   fall-back position, if the OCSP responses received via this mechanism
133	   alone are not sufficient for the verification of certificate
134	   validity.  The client and/or the KDC MAY ignore a valid OCSP response
135	   and perform their own revocation status verification independently.

137	4.  Security Considerations

139	   The pre-authentication data in this document do not actually
140	   authenticate any principals, but is designed to be used in
141	   conjunction with PKINIT.

143	   There is no binding between PA-PK-OCSP-RESPONSE pre-authentication
144	   data and PKINIT pre-authentication data other than a given OCSP
145	   response corresponding to a certificate used in a PKINIT
146	   pre-authentication data element.  Attacks involving removal or
147	   replacement of PA-PK-OCSP-RESPONSE pre-authentication data elements
148	   are, at worst, downgrade attacks, where a PKINIT client or KDC would
149	   proceed without use of CRLs or OCSP for certificate validation, or
150	   denial of service attacks, where a PKINIT client or KDC that cannot
151	   validate the other's certificate without an accompanying OCSP
152	   response might reject the AS exchange or where they might have to
153	   download very large CRLs in order to continue.  Kerberos V does not
154	   protect against denial-of-service attacks, therefore the
155	   denial-of-service aspect of these attacks are acceptable.

157	   If a PKINIT client or KDC cannot validate certificates without the
158	   aid of a valid PA-PK-OCSP-RESPONSE then it SHOULD fail the AS
159	   exchange, possibly according to local configuration.

161	5.  IANA Considerations

163	   No IANA actions are required for this document.

165	6.  Acknowledgements

167	   This document was based on conversations among the authors, Jeffrey
168	   Altman, Sam Hartman, Martin Rex and other members of the Kerberos
169	   working group.

171	7.  References

173	7.1  Normative References

175	   [CLARIFICATIONS]
176	              RFC-Editor: To be replaced by RFC number for draft-ietf-
177	              krb-wg-kerberos-clarifications.  Work in Progress.

179	   [PKINIT]   RFC-Editor: To be replaced by RFC number for draft-ietf-
180	              cat-kerberos-pk-init.  Work in Progress.

182	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
183	              Requirement Levels", BCP 14, RFC 2119, March 1997.

185	   [RFC2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
186	              Adams, "X.509 Internet Public Key Infrastructure Online
187	              Certificate Status Protocol - OCSP", RFC 2560, June 1999.

189	   [X690]     ASN.1 encoding rules: Specification of Basic Encoding
190	              Rules (BER), Canonical Encoding Rules (CER) and
191	              Distinguished Encoding Rules (DER), ITU-T Recommendation
192	              X.690 (1997) | ISO/IEC International Standard 8825-1:1998.

194	7.2  Informative References

196	   [OCSP-PROFILE]
197	              RFC-Editor: To be replaced by RFC number for draft-deacon-
198	              lightweight-ocsp-profile.  Work in Progress.

200	Authors' Addresses

202	   Larry Zhu
203	   Microsoft Corporation
204	   One Microsoft Way
205	   Redmond, WA  98052
206	   US

208	   Email: lzhu@microsoft.com
209	   Karthik Jaganathan
210	   Microsoft Corporation
211	   One Microsoft Way
212	   Redmond, WA  98052
213	   US

215	   Email: karthikj@microsoft.com

217	   Nicolas Williams
218	   Sun Microsystems
219	   5300 Riata Trace Ct
220	   Austin, TX  78727
221	   US

223	   Email: Nicolas.Williams@sun.com

225	Intellectual Property Statement

227	   The IETF takes no position regarding the validity or scope of any
228	   Intellectual Property Rights or other rights that might be claimed to
229	   pertain to the implementation or use of the technology described in
230	   this document or the extent to which any license under such rights
231	   might or might not be available; nor does it represent that it has
232	   made any independent effort to identify any such rights.  Information
233	   on the procedures with respect to rights in RFC documents can be
234	   found in BCP 78 and BCP 79.

236	   Copies of IPR disclosures made to the IETF Secretariat and any
237	   assurances of licenses to be made available, or the result of an
238	   attempt made to obtain a general license or permission for the use of
239	   such proprietary rights by implementers or users of this
240	   specification can be obtained from the IETF on-line IPR repository at
241	   http://www.ietf.org/ipr.

243	   The IETF invites any interested party to bring to its attention any
244	   copyrights, patents or patent applications, or other proprietary
245	   rights that may cover technology that may be required to implement
246	   this standard.  Please address the information to the IETF at
247	   ietf-ipr@ietf.org.

249	Disclaimer of Validity

251	   This document and the information contained herein are provided on an
252	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
253	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
254	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
255	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
256	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
257	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

259	Copyright Statement

261	   Copyright (C) The Internet Society (2005).  This document is subject
262	   to the rights, licenses and restrictions contained in BCP 78, and
263	   except as set forth therein, the authors retain all their rights.

265	Acknowledgment

267	   Funding for the RFC Editor function is currently provided by the
268	   Internet Society.