mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
7055827b8f
This makes it clearer that we always want to do heimdal changes via the lorikeet-heimdal repository. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Joseph Sutton <jsutton@samba.org> Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
566 lines
11 KiB
Plaintext
566 lines
11 KiB
Plaintext
|
|
NETWORK WORKING GROUP L. Zhu
|
|
Internet-Draft K. Jaganathan
|
|
Expires: February 8, 2005 Microsoft Corporation
|
|
N. Williams
|
|
Sun Microsystems
|
|
August 10, 2004
|
|
|
|
|
|
|
|
OCSP Support for PKINIT
|
|
draft-ietf-krb-wg-ocsp-for-pkinit-01
|
|
|
|
|
|
Status of this Memo
|
|
|
|
|
|
This document is an Internet-Draft and is subject to all provisions
|
|
of section 3 of RFC 3667. By submitting this Internet-Draft, each
|
|
author represents that any applicable patent or other IPR claims of
|
|
which he or she is aware have been or will be disclosed, and any of
|
|
which he or she become aware will be disclosed, in accordance with
|
|
RFC 3668.
|
|
|
|
|
|
Internet-Drafts are working documents of the Internet Engineering
|
|
Task Force (IETF), its areas, and its working groups. Note that
|
|
other groups may also distribute working documents as
|
|
Internet-Drafts.
|
|
|
|
|
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|
and may be updated, replaced, or obsoleted by other documents at any
|
|
time. It is inappropriate to use Internet-Drafts as reference
|
|
material or to cite them other than as "work in progress."
|
|
|
|
|
|
The list of current Internet-Drafts can be accessed at
|
|
http://www.ietf.org/ietf/1id-abstracts.txt.
|
|
|
|
|
|
The list of Internet-Draft Shadow Directories can be accessed at
|
|
http://www.ietf.org/shadow.html.
|
|
|
|
|
|
This Internet-Draft will expire on February 8, 2005.
|
|
|
|
|
|
Copyright Notice
|
|
|
|
|
|
Copyright (C) The Internet Society (2004).
|
|
|
|
|
|
Abstract
|
|
|
|
|
|
This document defines a mechanism to enable in-band transmission of
|
|
OCSP responses. These responses are used to verify the validity of
|
|
the certificates used in PKINIT - the Kerberos Version 5 extension
|
|
that provides for the use of public key cryptography.
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 1]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
Table of Contents
|
|
|
|
|
|
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
|
2. Conventions Used in This Document . . . . . . . . . . . . . . 4
|
|
3. Message Definition . . . . . . . . . . . . . . . . . . . . . . 5
|
|
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
|
|
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
|
|
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
|
|
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 7
|
|
Intellectual Property and Copyright Statements . . . . . . . . 9
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 2]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
1. Introduction
|
|
|
|
|
|
Online Certificate Status Protocol (OCSP) [RFC2560] enables
|
|
applications to obtain timely information regarding the revocation
|
|
status of a certificate. Because OCSP responses are well-bounded and
|
|
small in size, constrained clients may wish to use OCSP to check the
|
|
validity of KDC certificates in order to avoid transmission of large
|
|
Certificate Revocation Lists (CRLs) and therefore save bandwidth on
|
|
constrained networks.
|
|
|
|
|
|
This document defines a pre-authentication type [CLARIFICATIONS],
|
|
where the client and the KDC MAY piggyback OCSP responses for
|
|
certificates used in authentication exchanges, as defined in
|
|
[PKINIT].
|
|
|
|
|
|
By using this OPTIONAL extension, PKINIT clients and the KDC can
|
|
maximize the reuse of cached OCSP responses.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 3]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
2. Conventions Used in This Document
|
|
|
|
|
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|
document are to be interpreted as described in [RFC2119].
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 4]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
3. Message Definition
|
|
|
|
|
|
A pre-authentication type identifier is defined for this mechanism:
|
|
|
|
|
|
PA-PK-OCSP-RESPONSE 16
|
|
|
|
|
|
The corresponding pre-authentication field contains OCSP data as
|
|
follows:
|
|
|
|
|
|
PA-PK-OCSP-DATA ::= SEQUENCE OF OcspResponse
|
|
|
|
|
|
OcspResponse ::= OCTET STRING
|
|
-- contains a complete OCSP response,
|
|
-- defined in [RFC2560]
|
|
|
|
|
|
The client MAY send OCSP responses for certificates used in
|
|
PA-PK-AS-REQ [PKINIT] via a PA-PK-OCSP-RESPONSE.
|
|
|
|
|
|
The KDC that receives a PA-PK-OCSP-RESPONSE the SHOULD send a
|
|
PA-PK-OCSP-RESPONSE in response. The client can request a
|
|
PA-PK-OCSP-RESPONSE by using an empty sequence in its request.
|
|
|
|
|
|
The KDC MAY send a PA-PK-OCSP-RESPONSE when it does not receive a
|
|
PA-PK-OCSP-RESPONSE from the client.
|
|
|
|
|
|
The PA-PK-OCSP-RESPONSE sent by the KDC contains OCSP responses for
|
|
certificates used in PA-PK-AS-REP [PKINIT].
|
|
|
|
|
|
Note the lack of integrity protection for the empty or missing OCSP
|
|
response; lack of an expected OCSP response from the KDC for the
|
|
KDC's certificates SHOULD be treated as an error by the client,
|
|
unless it is configured otherwise.
|
|
|
|
|
|
When using OCSP, the response is signed by the OCSP server, which is
|
|
trusted by the receiver. Depending on local policy, further
|
|
verification of the validity of the OCSP servers MAY need to be done.
|
|
|
|
|
|
The client and the KDC SHOULD ignore invalid OCSP responses received
|
|
via this mechanism, and they MAY implement CRL processing logic as a
|
|
fall-back position, if the OCSP responses received via this mechanism
|
|
alone are not sufficient for the verification of certificate
|
|
validity. The client and/or the KDC MAY ignore a valid OCSP response
|
|
and perform their own revocation status verification independently.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 5]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
4. Security Considerations
|
|
|
|
|
|
The pre-authentication data in this document do not actually
|
|
authenticate any principals, and MUST be used in conjunction with
|
|
PKINIT.
|
|
|
|
|
|
There is a downgrade attack against clients which want OCSP responses
|
|
from the KDC for the KDC's certificates. The clients, however, can
|
|
treat the absence of valid OCSP responses as an error, based on their
|
|
local configuration.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 6]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
5. IANA Considerations
|
|
|
|
|
|
This document defines a new pre-authentication type for use with
|
|
PKINIT to encode OCSP responses. The official value for this padata
|
|
identifier need to be acquired from IANA.
|
|
|
|
|
|
6 References
|
|
|
|
|
|
[CLARIFICATIONS]
|
|
Neuman, B., Yu, Y., Hartman, S. and K. Raeburn, "The
|
|
Kerberos Network Authentication Service (V5)",
|
|
draft-ietf-krb-wg-kerberos-clarifications, Work in
|
|
progress.
|
|
|
|
|
|
[PKINIT] Tung, B. and B. Neuman, "Public Key Cryptography for
|
|
Initial Authentication in Kerberos",
|
|
draft-ietf-cat-kerberos-pk-init, Work in progress.
|
|
|
|
|
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
|
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|
|
|
|
|
[RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
|
|
Adams, "X.509 Internet Public Key Infrastructure Online
|
|
Certificate Status Protocol - OCSP", RFC 2560, June 1999.
|
|
|
|
|
|
|
|
Authors' Addresses
|
|
|
|
|
|
Larry Zhu
|
|
Microsoft Corporation
|
|
One Microsoft Way
|
|
Redmond, WA 98052
|
|
US
|
|
|
|
|
|
EMail: lzhu@microsoft.com
|
|
|
|
|
|
|
|
Karthik Jaganathan
|
|
Microsoft Corporation
|
|
One Microsoft Way
|
|
Redmond, WA 98052
|
|
US
|
|
|
|
|
|
EMail: karthikj@microsoft.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 7]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
Nicolas Williams
|
|
Sun Microsystems
|
|
5300 Riata Trace Ct
|
|
Austin, TX 78727
|
|
US
|
|
|
|
|
|
EMail: Nicolas.Williams@sun.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 8]
|
|
Internet-Draft OCSP Support for PKINIT August 2004
|
|
|
|
|
|
|
|
Intellectual Property Statement
|
|
|
|
|
|
The IETF takes no position regarding the validity or scope of any
|
|
Intellectual Property Rights or other rights that might be claimed to
|
|
pertain to the implementation or use of the technology described in
|
|
this document or the extent to which any license under such rights
|
|
might or might not be available; nor does it represent that it has
|
|
made any independent effort to identify any such rights. Information
|
|
on the procedures with respect to rights in RFC documents can be
|
|
found in BCP 78 and BCP 79.
|
|
|
|
|
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|
assurances of licenses to be made available, or the result of an
|
|
attempt made to obtain a general license or permission for the use of
|
|
such proprietary rights by implementers or users of this
|
|
specification can be obtained from the IETF on-line IPR repository at
|
|
http://www.ietf.org/ipr.
|
|
|
|
|
|
The IETF invites any interested party to bring to its attention any
|
|
copyrights, patents or patent applications, or other proprietary
|
|
rights that may cover technology that may be required to implement
|
|
this standard. Please address the information to the IETF at
|
|
ietf-ipr@ietf.org.
|
|
|
|
|
|
|
|
Disclaimer of Validity
|
|
|
|
|
|
This document and the information contained herein are provided on an
|
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
|
|
|
|
Copyright Statement
|
|
|
|
|
|
Copyright (C) The Internet Society (2004). This document is subject
|
|
to the rights, licenses and restrictions contained in BCP 78, and
|
|
except as set forth therein, the authors retain all their rights.
|
|
|
|
|
|
|
|
Acknowledgment
|
|
|
|
|
|
This document was based on conversations among the authors, Jeffrey
|
|
Altman, Sam Hartman, Martin Rex, and other members of the Kerberos
|
|
working group.
|
|
|
|
|
|
|
|
|
|
|
|
Zhu, et al. Expires February 8, 2005 [Page 9] |