One document matched: draft-ietf-krb-wg-cammac-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc PUBLIC "-//IETF//DTD RFC 2629//EN" "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2307 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2307.xml">
<!ENTITY RFC3961 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3961.xml">
<!ENTITY RFC3962 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3962.xml">
<!ENTITY RFC3713 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3713.xml">
<!ENTITY RFC4120 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4120.xml">
<!ENTITY RFC1510 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1510.xml">
<!ENTITY RFC4559 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4559.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
<!ENTITY RFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">
<!ENTITY RFC2898 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2898.xml">
<!ENTITY RFC4493 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4493.xml">
<!ENTITY I-D.narten-iana-considerations-rfc2434bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.narten-iana-considerations-rfc2434bis.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-ietf-krb-wg-cammac-01"
ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title abbrev="Container Authenticated by Multiple MACs">Container
Authenticated by Multiple MACs</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="Simo Sorce" initials="S.S." role="editor"
surname="Sorce">
<organization>Red Hat</organization>
<address>
<email>ssorce@redhat.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Tom Yu" initials="T.Y." role="editor" surname="Yu">
<organization>MIT Kerberos Consortium</organization>
<address>
<email>tlyu@mit.edu</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Thomas Hardjono" initials="T.H." role="editor"
surname="Hardjono">
<organization>MIT Kerberos Consortium</organization>
<address>
<email>hardjono@mit.edu</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<date day="9" month="Feb" year="2012" />
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill
in the current day for you. If only the current year is specified, xml2rfc will fill
in the current day and month for you. If the year is not the current one, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
purpose of calculating the expiry date). With drafts it is normally sufficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>Network Working Group</area>
<workgroup>Internet Engineering Task Force</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>Kerberos</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>
Abstract: This document proposes a Kerberos Authorization Data
container similar to AD-KDC-ISSUED, but that allows for
multiple MACs or signatures on the contained Authorization
Data elements.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>This draft proposes a Authorization Data container for Kerberos
that identifies a base set of MAC and other elements necessary to
authenticate the authorization data being carried in such a way that
not only the KDC but also services can independently verify that
the data has been authenticated by the KDC and has not been tampered
with.</t>
</section>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</section>
<section title="Validation">
<t> Authorization data is highly sensitive and must be validated to
insure no tampering has occured.</t>
<t> In order to validate any information the receiving client need to be
able to cryptographically verify the data. This is done by introducing a
new AuthorizationData element called AD-CAMMAC that contains enough
information to bind the contents to a principal in a way that a receiving
client can verify autonomusly without further contact with the KDC.</t>
<t>The following information is needed:
<list style="symbols">
<t>The KDC signature.</t>
<t>The Service Signature.</t>
<t>Optional Trusted Service Key Signature.</t>
<t>Optional PUBKEY KDC Signature.</t>
</list>
</t>
<t>The KDC signature is required to allow the KDC to validate the data
withouth requiring to recompute the contents at every TGS request.</t>
<t>The SVC signature is required so that the Service can verify that
the authorization data has been validated by the KDC.</t>
<t>Both the Trusted Service Checksum and the asymmetric KDC Signature
are useful to verify the authenticity of the contents on the same host,
when the data is received by a less trusted service and passed to a more
trusted service on the same host without the need for additional
roundtrips to the KDC.</t>
<t>The ad-type for AD-CAMMAC is (TBD).</t>
</section>
<section title="Encoding">
<t>The Kerberos protocol is defined in [RFC4120] using Abstract Syntax
Notation One (ASN.1) [X680]. As such, this specification also uses the
ASN.1 syntax for specifying both the abstract layout of the AD-CAMMAC
attributes, as well as its encoding.</t>
<section title="AD-CAMMAC">
<figure>
<preamble></preamble>
<artwork><![CDATA[
AD-CAMMAC ::= SEQUENCE {
kdc-signature [0] Checksum,
svc-signature [1] Checksum,
trusted-svc-signature [2] OPT-Checksum OPTIONAL,
pubkey-signature [3] TBD OPTIONAL,
elements [4] AuthorizationData
}
OPT-Checksum ::= SEQUENCE {
identifier [0] PrincipalName,
signature [1] Checksum
}
kdc-signature
A cryptographic checksum computed over the encoding of the
elements field, keyed with the krbtgt key.
Checksum type TBD.
svc-signature
A cryptographic checksum computed over the encoding of the
elements field, keyed with the service long term key.
Checksum type TBD.
trusted-svc-signature
A principal name and a cryptographic checksum computed over the
encoding of the elements field, keyed with the long term key of
the principal name specified in the Name field. Unless otherwise
explicitly administratively configured, the key SHOULD be found
by substituting the service name component of the principal name
of the service with 'host'.
If the service is 'host' this checksum is redundant and can be
omitted.
If the resulting host/<name>@REALM or the administratively
configured service is not found in the KDC database this
cheksum can be omitted.
Checksum type TBD.
pubkey-signature
A name identifying the asymmetric key-pair used.
A checksum computed over the encoding of the elements field using
the Private Key identified in the Name field.
If an asymmetric key is not available this checksum MUST be
omitted.
Signature type TBD.
elements
A sequence of authorization data elements issued by the KDC.
]]></artwork>
<postamble></postamble>
</figure>
</section>
</section>
<section title="Assigned numbers">
<t>TBD</t>
</section>
<!-- Possibly a 'Contributors' section ... -->
<section anchor="IANA" title="IANA Considerations">
<t>TBD.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>Although generally authorization data are conveyed within a ticket
and are thereby protected using the existing encryption methods on the
ticket, some authorization data requires the additional protection
provided by the CAMMAC.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>TBD.</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
&RFC4120;
&RFC3961;
&RFC3962;
</references>
<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
&RFC2119;
&RFC3552;
&RFC1510;
<reference anchor="MIT-Athena">
<!-- the following is the minimum to make xml2rfc happy -->
<front>
<title>Kerberos: An Authentication Service for Open Network Systems.
In Proceedings of the Winter 1988 Usenix Conference.
February.</title>
<author initials="J." surname="Steiner">
<organization></organization>
</author>
<author initials="B." surname="Neuman">
<organization></organization>
</author>
<author initials="J." surname="Schiller">
<organization></organization>
</author>
<date year="1988" />
</front>
</reference>
<reference anchor="X.690">
<front>
<title>ASN.1 encoding rules: Specification of Basic Encoding Rules
(BER), Canonical Encoding Rules (CER) and Distinguished Encoding
Rules (DER) - ITU-T Recommendation X.690 (ISO/IEC International
Standard 8825-1:1998)</title>
<author surname="ISO">
<organization>ISO</organization>
</author>
<date year="1997" />
</front>
</reference>
</references>
<section anchor="app-additional" title="Additional Stuff">
<t>This becomes an Appendix.</t>
</section>
<!-- Change Log
v00 2012-02-08 EBD Initial version after the split of generalized-pac
-->
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 05:48:33 |