One document matched: draft-jain-kitten-krb-auth-indicator-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc6113 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6113.xml">
<!ENTITY rfc4120 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4120.xml">
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc4121 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4121.xml">
<!ENTITY rfc6711 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6711.xml">
<!ENTITY cammac SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-krb-wg-cammac-08.xml">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc autobreaks="yes"?>
<?rfc docmapping="yes"?>
<rfc category="std" docName="draft-jain-kitten-krb-auth-indicator-01"
ipr="trust200902" >
<front>
<title abbrev="Authentication Indicator">Authentication Indicator in Kerberos tickets</title>
<author fullname="Anupam Jain" initials="A." surname="Jain">
<organization>Georgia Tech</organization>
<address>
<postal>
<street>225 North Ave NW</street>
<city>Atlanta</city>
<region>GA</region>
<code>30332</code>
<country>USA</country>
</postal>
<email>ajain323@gatech.edu</email>
</address>
</author>
<author fullname="Nathan Kinder" initials="N." surname="Kinder">
<organization>Red Hat, Inc.</organization>
<address>
<postal>
<street>444 Castro St.</street>
<street>Suite 500</street>
<city>Mountain View</city>
<region>CA</region>
<code>94041</code>
<country>USA</country>
</postal>
<email>nkinder@redhat.com</email>
</address>
</author>
<author fullname="Nathaniel McCallum" initials="N." surname="McCallum">
<organization>Red Hat, Inc.</organization>
<address>
<postal>
<street>100 East Davie Street</street>
<city>Raleigh</city>
<region>NC</region>
<code>27601</code>
<country>USA</country>
</postal>
<email>npmccallum@redhat.com</email>
</address>
</author>
<date month="August" year="2014" />
<area>Security</area>
<workgroup>Internet Engineering Task Force</workgroup>
<abstract>
<t>This document proposes an extension in the Kerberos protocol. It defines a new
Authorization Data Type AUTHENTICATION-INDICATOR. The purpose of introducing this
data type is to include an indicator of the client's authentication strength in the
service tickets so that the application services can use it as an input into policy
decisions.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Kerberos allows secure interaction among users and services over a network.
It supports a variety of authentication mechanisms using its <xref target="RFC6113">
Pre-Authentication framework</xref>. Kerberos Authentication Service has been
architected to support password based authentication as well as multi-factor
authentication using One Time Password devices or Public Key Cryptography.
Implementations that have Pre-Authentication mechanisms offering significantly
different strengths of client authentication may choose to keep track of the
strength of the authentication used as an input into policy decisions. This
document proposes a new Authorization Data Type to be used to convey the
authentication strength to the application services. The AD type is wrapped in the
<xref target="I-D.ietf-krb-wg-cammac">AD-CAMMAC</xref> container and contains
information about the type of authentication mechanism used by the Kerberos client
to authenticate itself to the KDC.</t>
</section>
<section title="Document Conventions">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119">
RFC 2119</xref>.</t>
</section>
<section title="AD Type Specification">
<t>The KDC MAY include the following Authorization Data element, wrapped in
AD-CAMMAC, in the initial credentials and copy it from a ticket-granting ticket
into service tickets:</t>
<t>AUTHENTICATION-INDICATOR TBD</t>
<t>The corresponding ad-data field contains the DER encoding of this AD type which
is defined as</t>
<t>AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String</t>
<t>These values are short strings that indicate that a particular set of
requirements was met during the initial authentication. These strings are intended
to be compared against known values. They are not intended to store structured data.
These strings MAY be site-defined strings that do not contain a colon such as the
name of the Pre-Authentication mechanism used, or alternatively URIs that reference
a <xref target="RFC6711">Level of Assurance Profile</xref>.</t>
<t>The AUTHENTICATION-INDICATOR AD type MUST be included in the AD-CAMMAC container
so that its contents can be protected.
The AD-CAMMAC element and the new AD type it encapsulates MAY safely be ignored
by the applications and KDCs that do not implement this element.</t>
</section>
<section title="Security Considerations">
<t>AUTHENTICATION-INDICATOR is wrapped in AD-CAMMAC which supersedes AD-KDC-ISSUED
container. AD-CAMMAC allows both the application service and the KDC to verify the
authenticity of the contained Authorization Data.</t>
<t>A malicious service can replace AD-CAMMAC in a service ticket
with a legitimate AD-CAMMAC present in some other ticket that the service has
received. KDC MUST ensure that the service does not tamper with the contents of
AD-CAMMAC or the ticket. It SHOULD insert an Authorization Data element into the
AD-CAMMAC container that binds the contents of the container to the enclosing ticket.
This binding protects AUTHENTICATION-INDICATOR in case of constrained delegation such
as S4U2Proxy <xref target="MS-SFU"/> extension.</t>
<t>Using multiple strings in AUTHENTICATION-INDICATOR MAY lead to ambiguity when a
service tries to make a decision based on the AUTHENTICATION-INDICATOR values. This
ambiguity can be avoided if indicator values are always used as a positive indication
of certain requirements being met during the initial authentication.</t>
</section>
</middle>
<back>
<?rfc rfcedstyle="no"?>
<references title="Normative References">
<!--Pre Authentication Framework-->
&rfc6113;
<!--Kerberos V5-->
&rfc4120;
<!--AD CAMMAC-->
&cammac;
<!--Key words for use in RFCs to Indicate Requirement Levels-->
&rfc2119;
</references>
<references title="Informative References">
<!--MS-SFU-->
<reference anchor="MS-SFU"
target="http://msdn.microsoft.com/en-us/library/cc246071.aspx">
<front>
<title>Kerberos Protocol Extensions:
Service for User and Constrained Delegation Protocol</title>
<author>
<organization>Microsoft</organization>
</author>
<date month="January" year="2013" />
</front>
</reference>
<!--GSS-API V2-->
&rfc4121;
<!--LOA Profiles-->
&rfc6711;
</references>
<?rfc rfcedstyle="yes"?>
<section title="Acknowledgements">
<figure>
<artwork><![CDATA[
Dmitri Pal (Red Hat)
Simo Sorce (Red Hat)
]]></artwork>
</figure>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:35:09 |