| blob | a4927feee702af6de819f64aa58988eb412cee33 |
2 NETWORK WORKING GROUP L. Zhu
3 Internet-Draft K. Jaganathan
4 Expires: February 8, 2005 Microsoft Corporation
5 N. Williams
6 Sun Microsystems
7 August 10, 2004
11 OCSP Support for PKINIT
12 draft-ietf-krb-wg-ocsp-for-pkinit-01
15 Status of this Memo
18 This document is an Internet-Draft and is subject to all provisions
19 of section 3 of RFC 3667. By submitting this Internet-Draft, each
20 author represents that any applicable patent or other IPR claims of
21 which he or she is aware have been or will be disclosed, and any of
22 which he or she become aware will be disclosed, in accordance with
23 RFC 3668.
26 Internet-Drafts are working documents of the Internet Engineering
27 Task Force (IETF), its areas, and its working groups. Note that
28 other groups may also distribute working documents as
29 Internet-Drafts.
32 Internet-Drafts are draft documents valid for a maximum of six months
33 and may be updated, replaced, or obsoleted by other documents at any
34 time. It is inappropriate to use Internet-Drafts as reference
35 material or to cite them other than as "work in progress."
38 The list of current Internet-Drafts can be accessed at
39 http://www.ietf.org/ietf/1id-abstracts.txt.
42 The list of Internet-Draft Shadow Directories can be accessed at
43 http://www.ietf.org/shadow.html.
46 This Internet-Draft will expire on February 8, 2005.
49 Copyright Notice
52 Copyright (C) The Internet Society (2004).
55 Abstract
58 This document defines a mechanism to enable in-band transmission of
59 OCSP responses. These responses are used to verify the validity of
60 the certificates used in PKINIT - the Kerberos Version 5 extension
61 that provides for the use of public key cryptography.
67 Zhu, et al. Expires February 8, 2005 [Page 1]
68 Internet-Draft OCSP Support for PKINIT August 2004
72 Table of Contents
75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
76 2. Conventions Used in This Document . . . . . . . . . . . . . . 4
77 3. Message Definition . . . . . . . . . . . . . . . . . . . . . . 5
78 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
79 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
80 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 7
82 Intellectual Property and Copyright Statements . . . . . . . . 9
125 Zhu, et al. Expires February 8, 2005 [Page 2]
126 Internet-Draft OCSP Support for PKINIT August 2004
130 1. Introduction
133 Online Certificate Status Protocol (OCSP) [RFC2560] enables
134 applications to obtain timely information regarding the revocation
135 status of a certificate. Because OCSP responses are well-bounded and
136 small in size, constrained clients may wish to use OCSP to check the
137 validity of KDC certificates in order to avoid transmission of large
138 Certificate Revocation Lists (CRLs) and therefore save bandwidth on
139 constrained networks.
142 This document defines a pre-authentication type [CLARIFICATIONS],
143 where the client and the KDC MAY piggyback OCSP responses for
144 certificates used in authentication exchanges, as defined in
145 [PKINIT].
148 By using this OPTIONAL extension, PKINIT clients and the KDC can
149 maximize the reuse of cached OCSP responses.
185 Zhu, et al. Expires February 8, 2005 [Page 3]
186 Internet-Draft OCSP Support for PKINIT August 2004
190 2. Conventions Used in This Document
193 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
194 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
195 document are to be interpreted as described in [RFC2119].
243 Zhu, et al. Expires February 8, 2005 [Page 4]
244 Internet-Draft OCSP Support for PKINIT August 2004
248 3. Message Definition
251 A pre-authentication type identifier is defined for this mechanism:
254 PA-PK-OCSP-RESPONSE 16
257 The corresponding pre-authentication field contains OCSP data as
258 follows:
261 PA-PK-OCSP-DATA ::= SEQUENCE OF OcspResponse
264 OcspResponse ::= OCTET STRING
265 -- contains a complete OCSP response,
266 -- defined in [RFC2560]
269 The client MAY send OCSP responses for certificates used in
270 PA-PK-AS-REQ [PKINIT] via a PA-PK-OCSP-RESPONSE.
273 The KDC that receives a PA-PK-OCSP-RESPONSE the SHOULD send a
274 PA-PK-OCSP-RESPONSE in response. The client can request a
275 PA-PK-OCSP-RESPONSE by using an empty sequence in its request.
278 The KDC MAY send a PA-PK-OCSP-RESPONSE when it does not receive a
279 PA-PK-OCSP-RESPONSE from the client.
282 The PA-PK-OCSP-RESPONSE sent by the KDC contains OCSP responses for
283 certificates used in PA-PK-AS-REP [PKINIT].
286 Note the lack of integrity protection for the empty or missing OCSP
287 response; lack of an expected OCSP response from the KDC for the
288 KDC's certificates SHOULD be treated as an error by the client,
289 unless it is configured otherwise.
292 When using OCSP, the response is signed by the OCSP server, which is
293 trusted by the receiver. Depending on local policy, further
294 verification of the validity of the OCSP servers MAY need to be done.
297 The client and the KDC SHOULD ignore invalid OCSP responses received
298 via this mechanism, and they MAY implement CRL processing logic as a
299 fall-back position, if the OCSP responses received via this mechanism
300 alone are not sufficient for the verification of certificate
301 validity. The client and/or the KDC MAY ignore a valid OCSP response
302 and perform their own revocation status verification independently.
312 Zhu, et al. Expires February 8, 2005 [Page 5]
313 Internet-Draft OCSP Support for PKINIT August 2004
317 4. Security Considerations
320 The pre-authentication data in this document do not actually
321 authenticate any principals, and MUST be used in conjunction with
322 PKINIT.
325 There is a downgrade attack against clients which want OCSP responses
326 from the KDC for the KDC's certificates. The clients, however, can
327 treat the absence of valid OCSP responses as an error, based on their
328 local configuration.
371 Zhu, et al. Expires February 8, 2005 [Page 6]
372 Internet-Draft OCSP Support for PKINIT August 2004
376 5. IANA Considerations
379 This document defines a new pre-authentication type for use with
380 PKINIT to encode OCSP responses. The official value for this padata
381 identifier need to be acquired from IANA.
384 6 References
387 [CLARIFICATIONS]
388 Neuman, B., Yu, Y., Hartman, S. and K. Raeburn, "The
389 Kerberos Network Authentication Service (V5)",
390 draft-ietf-krb-wg-kerberos-clarifications, Work in
391 progress.
394 [PKINIT] Tung, B. and B. Neuman, "Public Key Cryptography for
395 Initial Authentication in Kerberos",
396 draft-ietf-cat-kerberos-pk-init, Work in progress.
399 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
400 Requirement Levels", BCP 14, RFC 2119, March 1997.
403 [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
404 Adams, "X.509 Internet Public Key Infrastructure Online
405 Certificate Status Protocol - OCSP", RFC 2560, June 1999.
409 Authors' Addresses
412 Larry Zhu
413 Microsoft Corporation
414 One Microsoft Way
415 Redmond, WA 98052
416 US
419 EMail: lzhu@microsoft.com
423 Karthik Jaganathan
424 Microsoft Corporation
425 One Microsoft Way
426 Redmond, WA 98052
427 US
430 EMail: karthikj@microsoft.com
441 Zhu, et al. Expires February 8, 2005 [Page 7]
442 Internet-Draft OCSP Support for PKINIT August 2004
446 Nicolas Williams
447 Sun Microsystems
448 5300 Riata Trace Ct
449 Austin, TX 78727
450 US
453 EMail: Nicolas.Williams@sun.com
499 Zhu, et al. Expires February 8, 2005 [Page 8]
500 Internet-Draft OCSP Support for PKINIT August 2004
504 Intellectual Property Statement
507 The IETF takes no position regarding the validity or scope of any
508 Intellectual Property Rights or other rights that might be claimed to
509 pertain to the implementation or use of the technology described in
510 this document or the extent to which any license under such rights
511 might or might not be available; nor does it represent that it has
512 made any independent effort to identify any such rights. Information
513 on the procedures with respect to rights in RFC documents can be
514 found in BCP 78 and BCP 79.
517 Copies of IPR disclosures made to the IETF Secretariat and any
518 assurances of licenses to be made available, or the result of an
519 attempt made to obtain a general license or permission for the use of
520 such proprietary rights by implementers or users of this
521 specification can be obtained from the IETF on-line IPR repository at
522 http://www.ietf.org/ipr.
525 The IETF invites any interested party to bring to its attention any
526 copyrights, patents or patent applications, or other proprietary
527 rights that may cover technology that may be required to implement
528 this standard. Please address the information to the IETF at
529 ietf-ipr@ietf.org.
533 Disclaimer of Validity
536 This document and the information contained herein are provided on an
537 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
538 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
539 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
540 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
541 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
542 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
546 Copyright Statement
549 Copyright (C) The Internet Society (2004). This document is subject
550 to the rights, licenses and restrictions contained in BCP 78, and
551 except as set forth therein, the authors retain all their rights.
555 Acknowledgment
558 This document was based on conversations among the authors, Jeffrey
559 Altman, Sam Hartman, Martin Rex, and other members of the Kerberos
560 working group.
566 Zhu, et al. Expires February 8, 2005 [Page 9]