| blob | 9141e339dfbf8f3555e896df29ab09f5535890b4 |
3 Network Working Group S. Hartman
4 Internet-Draft MIT
5 Expires: January 10, 2005 July 12, 2004
8 GSSAPI Mechanisms without a Single Canonical Name
9 draft-hartman-gss-naming-00.txt
11 Status of this Memo
13 By submitting this Internet-Draft, I certify that any applicable
14 patent or other IPR claims of which I am aware have been disclosed,
15 and any of which I become aware will be disclosed, in accordance with
16 RFC 3668.
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that other
20 groups may also distribute working documents as Internet-Drafts.
22 Internet-Drafts are draft documents valid for a maximum of six months
23 and may be updated, replaced, or obsoleted by other documents at any
24 time. It is inappropriate to use Internet-Drafts as reference
25 material or to cite them other than as "work in progress."
27 The list of current Internet-Drafts can be accessed at http://
28 www.ietf.org/ietf/1id-abstracts.txt.
30 The list of Internet-Draft Shadow Directories can be accessed at
31 http://www.ietf.org/shadow.html.
33 This Internet-Draft will expire on January 10, 2005.
35 Copyright Notice
37 Copyright (C) The Internet Society (2004). All Rights Reserved.
39 Abstract
41 The Generic Security Services API (GSSAPI) uses name-based
42 authorization. GSSAPI authenticates two named parties to each other.
43 Names can be stored on access control lists to make authorization
44 decisions. Advances in security mechanisms require this model to be
45 extended. Some mechanisms such as public-key mechanisms do not have
46 a single name to be used. Other mechanisms such as Kerberos allow
47 names to change as people move around organizations. This document
48 proposes expanding the definition of GSSAPI names to deal with these
49 situations.
55 Hartman Expires January 10, 2005 [Page 1]
56 \f
57 Internet-Draft GSS Name Attributes July 2004
60 1. Introduction
62 The Generic Security Services API [1] provides a function called
63 gss_export_name that will flatten a GSSAPI name into a binary blob
64 suitable for comparisons. This binary blob can be stored on ACLs
65 and then authorization decisions can be made simply by comparing the
66 name exported from a newly accepted context to the name on the ACL.
68 As a side effect of this name-based authorization model, each
69 mechanism name needs to be able to be represented in a single
70 canonical form and anyone importing that name needs to be able to
71 retrieve the canonical form.
73 Several security mechanisms have been proposed for which this naming
74 architecture is too restrictive. In some cases it is not always
75 possible to canonicalize any name that is imported. In other cases
76 there is no single canonical name. In addition, there is a desire to
77 have more complex authorization models in GSSAPI than the current
78 name based authorization model.
80 This draft discusses two different cases where the current GSSAPI
81 naming seems inadequate. Then, an extension to GSSAPI naming to meet
82 these concerns is sketched.
111 Hartman Expires January 10, 2005 [Page 2]
112 \f
113 Internet-Draft GSS Name Attributes July 2004
116 2. Kerberos Naming
118 The Kerberos Referals draft [2] proposes a new type of Kerberos name
119 called an enterprise name. The intent is that the enterprise name is
120 an alias that the user knows for themselves and can use to login.
121 The Kerberos KDC translates this name into a normal Kerberos
122 principal and gives the user tickets for this principal. This normal
123 principal is used for authorization. The intent is that the
124 enterprise name tracks the user as they move throughout the
125 organization, even if they move to parts of the organization that
126 have different naming policies. The name they type at login
127 remains constant, but the Kerberos principal used to authenticate
128 them to services changes.
130 Performing a mapping from enterprise name to principal name is not
131 generally possible for unauthenticated services. So in order to
132 canonicalize an enterprise name to get a principal, a service must
133 have credentials. However it may not be desirable to allow
134 services to map enterprise names to principal names in the general
135 case. Also, Kerberos does not (and does not plan to) provide a
136 mechanism for mapping enterprise names to principals besides
137 authentication as the enterprise name. So any such mapping would be
138 vendor-specific. With this feature in Kerberos, it is not possible
139 to implement gss_canonicalize_name for enterprise name types.
141 Another issue arises with enterprise names. IN some cases it would
142 be desirable to put the enterprise name on the ACL instead of a
143 principal name. Thus, it would be desirable to include the
144 enterprise name in the name exported by gss_export_name. However
145 then the exported name would change whenever the mapping changed,
146 defeating the purpose of including the enterprise name. So in some
147 cases it would be desirable to have the exported name be based on the
148 enterprise name and in others based on the principal name, but this
149 is not currently possible.
151 Another development also complicates GSSAPI naming for Kerberos.
152 Several vendors have been looking at mechanisms to include group
153 membership information in Kerberos authorization data. Then it is
154 desirable to put these group names on ACLs. Again, GSSAPI currently
155 has no mechanism to use this information.
167 Hartman Expires January 10, 2005 [Page 3]
168 \f
169 Internet-Draft GSS Name Attributes July 2004
172 3. X.509 Names
174 X.509 names are at least as complex as Kerberos names. It seems like
175 you might want to use the subject name as the name to be exported in
176 a GSSAPI mechanism. However RFC 3280 [3] does not even require the
177 subject name to be a non-empty sequence. Instead there are cases
178 where the subjectAltName extension is the only thing to identify the
179 subject of the certificate. As in the case of Kerberos group
180 memberships, there may be many subjectAltName extensions available in
181 a certificate. Different applications will care about different
182 extensions. Thus there is no single value that can be defined as
183 the exported GSSAPI name that will be generally useful.
223 Hartman Expires January 10, 2005 [Page 4]
224 \f
225 Internet-Draft GSS Name Attributes July 2004
228 4. Composite Names
230 I propose extending the concept of a GSSAPI name to include a
231 collection of attributes. Each attribute would be an octet-string
232 labeled by an OID. Examples of attributes would include Kerberos
233 enterprise names, group memberships in an authorization
234 infrastructure, Kerberos authorization data attributes and
235 subjectAltName attributes in a certificate. Several new operations
236 would be needed:
237 1. Add attribute to name
238 2. Query attributes of name
239 3. Query values of an attribute
240 4. Delete an attribute from a name
242 4.1 Usage of Name Attributes
244 Since attributes are part of GSSAPI names, the acceptor can retrieve
245 the attributes of the initiator's name from the context. These
246 attributes can then be used for authorization.
248 Most name attributes will probably not come from explicit operations
249 to add attributes to a name. Instead, name attributes will probably
250 come from mechanism specific credentials. Mechanism specific
251 naming and group membership can be mapped into name attributes by
252 the mechanism implementation. The specific form of this mapping
253 will general require protocol specification for each mechanism.
255 4.2 Open issues
257 This section describes parts of the proposal to add attributes to
258 names that will need to be explored before the proposal can become a
259 protocol specification.
261 Are mechanisms expected to be able to carry arbitrary name attributes
262 as part of a context establishment? At first it seems like this
263 would be desirable. However the point of GSSAPI is to establish an
264 authenticated context between two peers. In particular, a context
265 authenticates two named entities to each other. The names of these
266 entities and attributes associated with these names will be used for
267 authorization decisions. If an initiator or acceptor is allowed to
268 assert name attributes and the authenticity of these assertions is
269 not validated by the mechanisms, then security problems may result.
270 On the other hand, requiring that name attributes be mechanism
271 specific and only be carried by mechanisms that understand the name
272 attributes and can validate them compromises GSSAPI's place as a
273 generic API. Application authors would be forced to understand
274 mechanism-specific attributes to make authorization decisions. In
275 addition if mechanisms are not required to transport arbitrary
279 Hartman Expires January 10, 2005 [Page 5]
280 \f
281 Internet-Draft GSS Name Attributes July 2004
284 attributes, then application authors will need to deal with different
285 implementations of the same mechanism that support different sets of
286 name attributes.
288 Another related question is how will name attributes be mapped into
289 their mechanism-specific forms. For example it would be desirable to
290 map many Kerberos authorization data elements into name attributes.
291 For example in the case of the Microsoft PAC, it would be desirable
292 for some applications to get the entire PAC. However in many cases,
293 the specific lists of security IDs contained in the PAC would be more
294 directly useful to an application. So there may not be a good
295 one-to-one mapping between the mechanism-specific elements and the
296 representation desirable at the GSSAPI layer.
298 Specific name matching rules need to be developed. How do names with
299 attributes compare? What is the effect of a name attribute on a
300 target name in gss_accept_sec_context?
302 4.3 Name Attributes Instead of Credential Extensions
304 An alternative to this proposal is to extend GSSAPI credentials with
305 extensions labeled by OIDs. Interfaces would be needed to manipulate
306 these credential extensions and to retrieve the credential extensions
307 for credentials used to establish a context. Even if name attributes
308 are used, credential extensions may be useful for other unrelated
309 purposes.
311 It is possible to solve problems discussed in this document using
312 some credential extension mechanism. Doing so will have many of the
313 same open issues as discussed in this name attributes proposal. The
314 main advantage of a credential extensions proposal is that it avoids
315 specifying how name attributes interact with name comparison or
316 target names.
318 The primary advantage of the name attributes proposal over credential
319 extensions is that name attributes seem to fit better into the GSSAPI
320 authorization model. Names are already available at all points
321 when authorization decisions are made. In addition, for many
322 mechanisms the sort of information carried as name attributes will
323 also be carried as part of the name in the mechanism
335 Hartman Expires January 10, 2005 [Page 6]
336 \f
337 Internet-Draft GSS Name Attributes July 2004
340 5. Handling gss_export_name
342 For many mechanisms, there will be an obvious choice to use for the
343 name exported by gss_export_name. For example in the case of
344 Kerberos, the principal name can continue to be used as the exported
345 name. This will allow applications depending on existing GSSAPI
346 name-based authorization to continue to work. However it is probably
347 desirable to allow GSSAPI mechanisms for which gss_export_name cannot
348 meaningfully be defined. The behavior of gss_export_name in such
349 cases should probably be to return some error. Such mechanisms may
350 not work with existing applications and cannot conform to the current
351 version of the GSSAPI.
391 Hartman Expires January 10, 2005 [Page 7]
392 \f
393 Internet-Draft GSS Name Attributes July 2004
396 6. Security Considerations
398 GSSAPI sets up a security context between two named parties. The
399 GSSAPI names are security assertions that are authenticated by the
400 context establishment process. As such the GSS naming architecture
401 is critical to the security of GSSAPI.
403 Currently GSSAPI uses a simplistic naming model for authorization.
404 Names can be compared against a set of names on an access control
405 list. This architecture is relatively simple and its security
406 properties are well understood. However it does not provide the
407 flexibility and feature set for future deployments of GSSAPI.
409 This proposal will significantly increase the complexity of the GSS
410 naming architecture. As this proposal is fleshed out, we need to
411 consider ways of managing security exposures created by this
412 increased complexity.
447 Hartman Expires January 10, 2005 [Page 8]
448 \f
449 Internet-Draft GSS Name Attributes July 2004
452 7. Acknowledgements
454 John Brezak, Paul Leach and Nicolas Williams all participated in
455 discussions that defined the problem this proposal attempts to solve.
456 Nicolas Williams and I discussed details of proposals to solve this
457 problem. However the details and open issues presented here have
458 only been reviewed by me and so I am responsible for their errors.
460 8 Informative References
462 [1] Linn, J., "Generic Security Service Application Program
463 Interface Version 2, Update 1", RFC 2743, January 2000.
465 [2] Jaganathan , K., Zhu, L., Swift, M. and J. Brezak, "Generating
466 KDC Referrals to locate Kerberos realms",
467 draft-ietf-krb-wg-kerberos-referals-03.txt (work in progress),
468 2004.
470 [3] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509
471 Public Key Infrastructure Certificate and Certificate Revocation
472 List (CRL) Profile", rfc 3280, April 2002.
475 Author's Address
477 Sam Hartman
478 MIT
480 EMail: hartmans@mit.edu
503 Hartman Expires January 10, 2005 [Page 9]
504 \f
505 Internet-Draft GSS Name Attributes July 2004
508 Intellectual Property Statement
510 The IETF takes no position regarding the validity or scope of any
511 Intellectual Property Rights or other rights that might be claimed to
512 pertain to the implementation or use of the technology described in
513 this document or the extent to which any license under such rights
514 might or might not be available; nor does it represent that it has
515 made any independent effort to identify any such rights. Information
516 on the IETF's procedures with respect to rights in IETF Documents can
517 be found in BCP 78 and BCP 79.
519 Copies of IPR disclosures made to the IETF Secretariat and any
520 assurances of licenses to be made available, or the result of an
521 attempt made to obtain a general license or permission for the use of
522 such proprietary rights by implementers or users of this
523 specification can be obtained from the IETF on-line IPR repository at
524 http://www.ietf.org/ipr.
526 The IETF invites any interested party to bring to its attention any
527 copyrights, patents or patent applications, or other proprietary
528 rights that may cover technology that may be required to implement
529 this standard. Please address the information to the IETF at
530 ietf-ipr@ietf.org.
533 Disclaimer of Validity
535 This document and the information contained herein are provided on an
536 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
537 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
538 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
539 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
540 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
541 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
544 Copyright Statement
546 Copyright (C) The Internet Society (2004). This document is subject
547 to the rights, licenses and restrictions contained in BCP 78, and
548 except as set forth therein, the authors retain all their rights.
551 Acknowledgment
553 Funding for the RFC Editor function is currently provided by the
554 Internet Society.
559 Hartman Expires January 10, 2005 [Page 10]
560 \f