| blob | cc09cebfa17f7ef7808f4159e397e508a5da5016 |
7 Network Working Group S. Santesson
8 Request for Comments: 4681 A. Medvinsky
9 Updates: 4346 J. Ball
10 Category: Standards Track Microsoft
11 October 2006
14 TLS User Mapping Extension
16 Status of This Memo
18 This document specifies an Internet standards track protocol for the
19 Internet community, and requests discussion and suggestions for
20 improvements. Please refer to the current edition of the "Internet
21 Official Protocol Standards" (STD 1) for the standardization state
22 and status of this protocol. Distribution of this memo is unlimited.
24 Copyright Notice
26 Copyright (C) The Internet Society (2006).
28 Abstract
30 This document specifies a TLS extension that enables clients to send
31 generic user mapping hints in a supplemental data handshake message
32 defined in RFC 4680. One such mapping hint is defined in an
33 informative section, the UpnDomainHint, which may be used by a server
34 to locate a user in a directory database. Other mapping hints may be
35 defined in other documents in the future.
37 Table of Contents
39 1. Introduction ....................................................2
40 1.1. Terminology ................................................2
41 1.2. Design Considerations ......................................2
42 2. User Mapping Extension ..........................................3
43 3. User Mapping Handshake Exchange .................................3
44 4. Message Flow ....................................................5
45 5. Security Considerations .........................................6
46 6. UPN Domain Hint (Informative) ...................................7
47 7. IANA Considerations .............................................8
48 8. Normative References ............................................9
49 9. Acknowledgements ................................................9
58 Santesson, et al. Standards Track [Page 1]
59 \f
60 RFC 4681 TLS User Mapping Extension October 2006
63 1. Introduction
65 This document has a normative part and an informative part. Sections
66 2-5 are normative. Section 6 is informative.
68 This specification defines a TLS extension and a payload for the
69 SupplementalData handshake message, defined in RFC 4680 [N6], to
70 accommodate mapping of users to their user accounts when using TLS
71 client authentication as the authentication method.
73 The new TLS extension (user_mapping) is sent in the client hello
74 message. Per convention defined in RFC 4366 [N4], the server places
75 the same extension (user_mapping) in the server hello message, to
76 inform the client that the server understands this extension. If the
77 server does not understand the extension, it will respond with a
78 server hello omitting this extension, and the client will proceed as
79 normal, ignoring the extension, and not include the
80 UserMappingDataList data in the TLS handshake.
82 If the new extension is understood, the client will inject
83 UserMappingDataList data in the SupplementalData handshake message
84 prior to the Client's Certificate message. The server will then
85 parse this message, extracting the client's domain, and store it in
86 the context for use when mapping the certificate to the user's
87 directory account.
89 No other modifications to the protocol are required. The messages
90 are detailed in the following sections.
92 1.1. Terminology
94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
96 document are to be interpreted as described in RFC 2119 [N1].
98 The syntax for the TLS User Mapping extension is defined using the
99 TLS Presentation Language, which is specified in Section 4 of [N2].
101 1.2. Design Considerations
103 The reason the mapping data itself is not placed in the extension
104 portion of the client hello is to prevent broadcasting this
105 information to servers that don't understand the extension.
114 Santesson, et al. Standards Track [Page 2]
115 \f
116 RFC 4681 TLS User Mapping Extension October 2006
119 2. User Mapping Extension
121 A new extension type (user_mapping(6)) is added to the Extension used
122 in both the client hello and server hello messages. The extension
123 type is specified as follows.
125 enum {
126 user_mapping(6), (65535)
127 } ExtensionType;
129 The "extension_data" field of this extension SHALL contain
130 "UserMappingTypeList" with a list of supported hint types where:
132 struct {
133 UserMappingType user_mapping_types<1..2^8-1>;
134 } UserMappingTypeList;
136 Enumeration of hint types (user_mapping_types) defined in this
137 document is provided in Section 3.
139 The list of user_mapping_types included in a client hello SHALL
140 signal the hint types supported by the client. The list of
141 user_mapping_types included in the server hello SHALL signal the hint
142 types preferred by the server.
144 If none of the hint types listed by the client is supported by the
145 server, the server SHALL omit the user_mapping extension in the
146 server hello.
148 When the user_mapping extension is included in the server hello, the
149 list of hint types in "UserMappingTypeList" SHALL be either equal to,
150 or a subset of, the list provided by the client.
152 3. User Mapping Handshake Exchange
154 The underlying structure of the SupplementalData handshake message,
155 used to carry information defined in this section, is defined in RFC
156 4680 [N6].
158 A new SupplementalDataType [N6] is defined to accommodate
159 communication of generic user mapping data. See RFC 2246 (TLS 1.0)
160 [N2] and RFC 4346 (TLS 1.1) [N3] for other handshake types.
162 The information in this data type carries one or more unauthenticated
163 hints, UserMappingDataList, inserted by the client side. Upon
164 receipt and successful completion of the TLS handshake, the server
170 Santesson, et al. Standards Track [Page 3]
171 \f
172 RFC 4681 TLS User Mapping Extension October 2006
175 MAY use this hint to locate the user's account from which user
176 information and credentials MAY be retrieved to support
177 authentication based on the client certificate.
179 struct {
180 SupplementalDataType supp_data_type;
181 uint16 supp_data_length;
182 select(SupplementalDataType) {
183 case user_mapping_data: UserMappingDataList;
184 }
185 } SupplementalDataEntry;
187 enum {
188 user_mapping_data(0), (65535)
189 } SupplementalDataType;
191 The user_mapping_data(0) enumeration results in a new supplemental
192 data type UserMappingDataList with the following structure:
194 enum {
195 (255)
196 } UserMappingType;
198 struct {
199 UserMappingType user_mapping_version;
200 uint16 user_mapping_length;
201 select(UserMappingType) { }
202 } UserMappingData;
204 struct{
205 UserMappingData user_mapping_data_list<1..2^16-1>;
206 }UserMappingDataList;
208 user_mapping_length
209 This field is the length (in bytes) of the data selected by
210 UserMappingType.
212 The UserMappingData structure contains a single mapping of type
213 UserMappingType. This structure can be leveraged to define new types
214 of user mapping hints in the future. The UserMappingDataList MAY
215 carry multiple hints; it is defined as a vector of UserMappingData
216 structures.
218 No preference is given to the order in which hints are specified in
219 this vector. If the client sends more than one hint, then the Server
220 SHOULD use the applicable mapping supported by the server.
226 Santesson, et al. Standards Track [Page 4]
227 \f
228 RFC 4681 TLS User Mapping Extension October 2006
231 Implementations MAY support the UPN domain hint as specified in
232 Section 6 of this document. Implementations MAY also support other
233 user mapping types as they are defined. Definitions of standards-
234 track user mapping types must include a discussion of
235 internationalization considerations.
237 4. Message Flow
239 In order to negotiate sending user mapping data to a server in
240 accordance with this specification, clients MUST include an extension
241 of type "user_mapping" in the (extended) client hello, which SHALL
242 contain a list of supported hint types.
244 Servers that receive an extended client hello containing a
245 "user_mapping" extension MAY indicate that they are willing to accept
246 user mapping data by including an extension of type "user_mapping" in
247 the (extended) server hello, which SHALL contain a list of preferred
248 hint types.
250 After negotiation of the use of user mapping has been successfully
251 completed (by exchanging hello messages including "user_mapping"
252 extensions), clients MAY send a "SupplementalData" message containing
253 the "UserMappingDataList" before the "Certificate" message. The
254 message flow is illustrated in Figure 1 below.
282 Santesson, et al. Standards Track [Page 5]
283 \f
284 RFC 4681 TLS User Mapping Extension October 2006
287 Client Server
289 ClientHello
290 /* with user_mapping ext */ -------->
291 ServerHello
292 /* with user-mapping ext */
293 Certificate*
294 ServerKeyExchange*
295 CertificateRequest*
296 <-------- ServerHelloDone
298 SupplementalData
299 /* with UserMappingDataList */
300 Certificate*
301 ClientKeyExchange
302 CertificateVerify*
303 [ChangeCipherSpec]
304 Finished -------->
305 [ChangeCipherSpec]
306 <-------- Finished
307 Application Data <-------> Application Data
309 * Indicates optional or situation-dependent messages that are not
310 always sent according to RFC 2246 [N2] and RFC 4346 [N3].
312 Figure 1. Message Flow with User Mapping Data
314 The server MUST expect and gracefully handle the case where the
315 client chooses not to send any supplementalData handshake message
316 even after successful negotiation of extensions. The client MAY at
317 its own discretion decide that the user mapping hint it initially
318 intended to send no longer is relevant for this session. One such
319 reason could be that the server certificate fails to meet certain
320 requirements.
322 5. Security Considerations
324 The user mapping hint sent in the UserMappingDataList is
325 unauthenticated data that MUST NOT be treated as a trusted
326 identifier. Authentication of the user represented by that user
327 mapping hint MUST rely solely on validation of the client
328 certificate. One way to do this is to use the user mapping hint to
329 locate and extract a certificate of the claimed user from the trusted
330 directory and subsequently match this certificate against the
331 validated client certificate from the TLS handshake.
338 Santesson, et al. Standards Track [Page 6]
339 \f
340 RFC 4681 TLS User Mapping Extension October 2006
343 As the client is the initiator of this TLS extension, it needs to
344 determine when it is appropriate to send the User Mapping
345 Information. It may not be prudent to broadcast a user mapping hint
346 to just any server at any time.
348 To avoid superfluously sending user mapping hints, clients SHOULD
349 only send this information if it recognizes the server as a
350 legitimate recipient. Recognition of the server can be done in many
351 ways. One way to do this could be to recognize the name and address
352 of the server.
354 In some cases, the user mapping hint may itself be regarded as
355 sensitive. In such cases, the double handshake technique described
356 in [N6] can be used to provide protection for the user mapping hint
357 information.
359 6. UPN Domain Hint (Informative)
361 This specification provides an informative description of one user
362 mapping hint type for Domain Name hints and User Principal Name
363 hints. Other hint types may be defined in other documents in the
364 future.
366 The User Principal Name (UPN) in this hint type represents a name
367 that specifies a user's entry in a directory in the form
368 userName@domainName. Traditionally, Microsoft has relied on the
369 presence of such a name form to be present in the client certificate
370 when logging on to a domain account. However, this has several
371 drawbacks since it prevents the use of certificates with an absent
372 UPN and also requires re-issuance of certificates or issuance of
373 multiple certificates to reflect account changes or creation of new
374 accounts. The TLS extension, in combination with the defined hint
375 type, provides a significant improvement to this situation as it
376 allows a single certificate to be mapped to one or more accounts of
377 the user and does not require the certificate to contain a
378 proprietary UPN.
380 The domain_name field MAY be used when only domain information is
381 needed, e.g., where a user have accounts in multiple domains using
382 the same username name, where that user name is known from another
383 source (e.g., from the client certificate). When the user name is
384 also needed, the user_principal_name field MAY be used to indicate
385 both username and domain name. If both fields are present, then the
386 server can make use of whichever one it chooses.
388 enum {
389 upn_domain_hint(64), (255)
390 } UserMappingType;
394 Santesson, et al. Standards Track [Page 7]
395 \f
396 RFC 4681 TLS User Mapping Extension October 2006
399 struct {
400 opaque user_principal_name<0..2^16-1>;
401 opaque domain_name<0..2^16-1>;
402 } UpnDomainHint;
404 struct {
405 UserMappingType user_mapping_version;
406 uint16 user_mapping_length;
407 select(UserMappingType) {
408 case upn_domain_hint: UpnDomainHint;
409 }
410 } UserMappingData;
412 The user_principal_name field, when specified, SHALL be of the form
413 "user@domain", where "user" is a UTF-8 encoded Unicode string that
414 does not contain the "@" character, and "domain" is a domain name
415 meeting the requirements in the following paragraph.
417 The domain_name field, when specified, SHALL contain a domain name
418 [N5] in the usual text form; in other words, a sequence of one or
419 more domain labels separated by ".", each domain label starting and
420 ending with an alphanumeric character and possibly also containing
421 "-" characters. This field is an "IDN-unaware domain name slot" as
422 defined in RFC 3490 [N7], and therefore, domain names containing
423 non-ASCII characters have to be processed as described in RFC 3490
424 before being stored in this field.
426 The UpnDomainHint MUST at least contain a non-empty
427 user_principal_name or a non-empty domain_name. The UpnDomainHint
428 MAY contain both user_principal_name and domain_name.
430 7. IANA Considerations
432 IANA has taken the following actions:
434 1) Created an entry, user_mapping(6), in the existing registry for
435 ExtensionType (defined in RFC 4366 [N4]).
437 2) Created an entry, user_mapping_data(0), in the new registry for
438 SupplementalDataType (defined in RFC 4680).
440 3) Established a registry for TLS UserMappingType values. The first
441 entry in the registry is upn_domain_hint(64). TLS UserMappingType
442 values in the inclusive range 0-63 (decimal) are assigned via RFC
443 2434 [N8] Standards Action. Values from the inclusive range
444 64-223 (decimal) are assigned via RFC 2434 Specification Required.
445 Values from the inclusive range 224-255 (decimal) are reserved for
446 RFC 2434 Private Use.
450 Santesson, et al. Standards Track [Page 8]
451 \f
452 RFC 4681 TLS User Mapping Extension October 2006
455 8. Normative References
457 [N1] Bradner, S., "Key words for use in RFCs to Indicate
458 Requirement Levels", BCP 14, RFC 2119, March 1997.
460 [N2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
461 2246, January 1999.
463 [N3] Dierks, T. and E. Rescorla, "The Transport Layer Security
464 (TLS) Protocol Version 1.1", RFC 4346, April 2006.
466 [N4] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
467 T. Wright, "Transport Layer Security (TLS) Extensions", RFC
468 4366, April 2006.
470 [N5] Mockapetris, P., "Domain names - concepts and facilities", STD
471 13, RFC 1034, November 1987.
473 [N6] Santesson, S., "TLS Handshake Message for Supplemental Data",
474 RFC 4680, October 2006.
476 [N7] Faltstrom, P., Hoffman, P., and A. Costello,
477 "Internationalizing Domain Names in Applications (IDNA)", RFC
478 3490, March 2003.
480 [N8] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
481 Considerations Section in RFCs", BCP 26, RFC 2434, October
482 1998.
484 9. Acknowledgements
486 The authors extend a special thanks to Russ Housley, Eric Resocorla,
487 and Paul Leach for their substantial contributions.
506 Santesson, et al. Standards Track [Page 9]
507 \f
508 RFC 4681 TLS User Mapping Extension October 2006
511 Authors' Addresses
513 Stefan Santesson
514 Microsoft
515 Finlandsgatan 30
516 164 93 KISTA
517 Sweden
519 EMail: stefans@microsoft.com
522 Ari Medvinsky
523 Microsoft
524 One Microsoft Way
525 Redmond, WA 98052-6399
526 USA
528 EMail: arimed@microsoft.com
531 Joshua Ball
532 Microsoft
533 One Microsoft Way
534 Redmond, WA 98052-6399
535 USA
537 EMail: joshball@microsoft.com
562 Santesson, et al. Standards Track [Page 10]
563 \f
564 RFC 4681 TLS User Mapping Extension October 2006
567 Full Copyright Statement
569 Copyright (C) The Internet Society (2006).
571 This document is subject to the rights, licenses and restrictions
572 contained in BCP 78, and except as set forth therein, the authors
573 retain all their rights.
575 This document and the information contained herein are provided on an
576 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
577 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
578 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
579 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
580 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
581 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
583 Intellectual Property
585 The IETF takes no position regarding the validity or scope of any
586 Intellectual Property Rights or other rights that might be claimed to
587 pertain to the implementation or use of the technology described in
588 this document or the extent to which any license under such rights
589 might or might not be available; nor does it represent that it has
590 made any independent effort to identify any such rights. Information
591 on the procedures with respect to rights in RFC documents can be
592 found in BCP 78 and BCP 79.
594 Copies of IPR disclosures made to the IETF Secretariat and any
595 assurances of licenses to be made available, or the result of an
596 attempt made to obtain a general license or permission for the use of
597 such proprietary rights by implementers or users of this
598 specification can be obtained from the IETF on-line IPR repository at
599 http://www.ietf.org/ipr.
601 The IETF invites any interested party to bring to its attention any
602 copyrights, patents or patent applications, or other proprietary
603 rights that may cover technology that may be required to implement
604 this standard. Please address the information to the IETF at
605 ietf-ipr@ietf.org.
607 Acknowledgement
609 Funding for the RFC Editor function is provided by the IETF
610 Administrative Support Activity (IASA).
618 Santesson, et al. Standards Track [Page 11]
619 \f