| blob | 35818e6e7ea9da55a947d35324384d5de95dca5c |
4 Network Working Group Johansson
5 Internet-Draft Stockholm university
6 Intended status: Standards Track July 8, 2007
7 Expires: January 9, 2008
10 An information model for Kerberos version 5
11 draft-johansson-kerberos-model-03
13 Status of this Memo
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
23 Drafts.
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on January 9, 2008.
38 Copyright Notice
40 Copyright (C) The IETF Trust (2007).
55 Johansson Expires January 9, 2008 [Page 1]
56 \f
57 Internet-Draft KDC Information Model July 2007
60 Abstract
62 This document describes an information model for Kerberos version 5
63 from the point of view of an administrative service. There is no
64 standard for administrating a kerberos 5 KDC. This document
65 describes the services exposed by an administrative interface to a
66 KDC.
69 Table of Contents
71 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
72 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
73 3. How to interpret RFC2119 terms . . . . . . . . . . . . . . . . 5
74 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
75 5. Information model demarcation . . . . . . . . . . . . . . . . 7
76 6. Information model specification . . . . . . . . . . . . . . . 8
77 6.1. Principal . . . . . . . . . . . . . . . . . . . . . . . . 8
78 6.1.1. Principal: Attributes . . . . . . . . . . . . . . . . 8
79 6.1.2. Principal: Associations . . . . . . . . . . . . . . . 8
80 6.1.3. Principal: Remarks . . . . . . . . . . . . . . . . . . 9
81 6.2. KeySet . . . . . . . . . . . . . . . . . . . . . . . . . . 9
82 6.2.1. KeySet: Attributes . . . . . . . . . . . . . . . . . . 9
83 6.2.2. KeySet: Associations . . . . . . . . . . . . . . . . . 9
84 6.2.3. KeySet: Remarks . . . . . . . . . . . . . . . . . . . 9
85 6.3. Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
86 6.3.1. Key: Attributes . . . . . . . . . . . . . . . . . . . 10
87 6.3.2. Key: Associations . . . . . . . . . . . . . . . . . . 10
88 6.3.3. Key: Remarks . . . . . . . . . . . . . . . . . . . . . 11
89 6.4. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 11
90 6.4.1. Policy: Attributes . . . . . . . . . . . . . . . . . . 11
91 6.4.2. Password Quality Policy . . . . . . . . . . . . . . . 11
92 6.4.3. Password Management Policy . . . . . . . . . . . . . . 12
93 6.4.4. Keying Policy . . . . . . . . . . . . . . . . . . . . 12
94 7. Implementation Scenarios . . . . . . . . . . . . . . . . . . . 13
95 7.1. LDAP backend to KDC . . . . . . . . . . . . . . . . . . . 13
96 7.2. LDAP frontend to KDC . . . . . . . . . . . . . . . . . . . 13
97 7.3. SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
98 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
99 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
100 10. Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
101 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
102 11.1. Normative References . . . . . . . . . . . . . . . . . . . 17
103 11.2. Informative References . . . . . . . . . . . . . . . . . . 17
104 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18
105 Intellectual Property and Copyright Statements . . . . . . . . . . 19
111 Johansson Expires January 9, 2008 [Page 2]
112 \f
113 Internet-Draft KDC Information Model July 2007
116 1. Requirements notation
118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120 document are to be interpreted as described in [RFC2119].
167 Johansson Expires January 9, 2008 [Page 3]
168 \f
169 Internet-Draft KDC Information Model July 2007
172 2. Introduction
174 The Kerberos version 5 authentication service described in [RFC4120]
175 describes how a Key Distribution Service (KDC) provides
176 authentication to clients. The standard does not stipulate how a KDC
177 is managed and several "kadmin" servers have evolved. This document
178 describes the services required to administrate a KDC and the
179 underlying information model assumed by a kadmin-type service.
181 The information model is written in terms of "attributes" and
182 "services" or "interfaces" but the use of these particular words MUST
183 NOT be taken to imply any particular modeling paradigm so that
184 neither an object oriented model or an LDAP schema is intended. The
185 author has attempted to describe in natural language the intended
186 semantics and syntax of the components of the model. An LDAP schema
187 (for instance) based on this model will be more precise in the
188 expression of the syntax while preserving the semantics of this
189 model.
191 Implementations of this document MAY decide to change the names used
192 (eg principalName). If so an implementation MUST provide a name to
193 name mapping to this document.
223 Johansson Expires January 9, 2008 [Page 4]
224 \f
225 Internet-Draft KDC Information Model July 2007
228 3. How to interpret RFC2119 terms
230 This document describes an information model for kerberos 5 but does
231 not directly describe any mapping onto a particular schema- or
232 modelling language. Hence an implementation of this model consists
233 of a mapping to such a language - eg an LDAP or SQL schema. The
234 precise interpretation of terms from [RFC2119] therefore require some
235 extra explanation. The terms MUST, MUST NOT, REQUIRED, SHALL, SHALL
236 NOT mean that an implementation MUST provide a feature but does not
237 mean that this feature MUST be REQUIRED by the implementation - eg an
238 attribute is available in an LDAP schema but marked as OPTIONAL. If
239 a feature must be implemented and REQUIRED this is made explicit in
240 this model. The term MAY, OPTIONAL and RECOMMENDED means that an
241 implementation MAY need to REQUIRE the feature due to the particular
242 nature of the schema/modelling language. In some cases this is
243 expressly forbidden by this model (feature X MUST NOT be REQUIRED by
244 an implementation).
246 Note that any implementation of this model SHOULD be published as an
247 RFC.
279 Johansson Expires January 9, 2008 [Page 5]
280 \f
281 Internet-Draft KDC Information Model July 2007
284 4. Acknowledgments
286 Love Hoernquist-Aestrand <lha@it.su.se> for important contributions.
335 Johansson Expires January 9, 2008 [Page 6]
336 \f
337 Internet-Draft KDC Information Model July 2007
340 5. Information model demarcation
342 The information model specified in the next chapter describes
343 objects, properties of those objects and relations between those
344 objects. These elements comprise an abstract view of the data
345 represented in a KDC. It is important to understand that the
346 information model is not a schema. In particular the way objects are
347 compared for equality beyond that which is implied by the
348 specification of a syntax is not part of this specification. Nor is
349 ordering specified between elements of a particular syntax.
351 Further work on Kerberos will undoubtedly prompt updates to this
352 information model to reflect changes in the functions performed by
353 the KDC. Such extensions to the information model MUST always use a
354 normative reference to the relevant RFCs detailing the change in KDC
355 function.
391 Johansson Expires January 9, 2008 [Page 7]
392 \f
393 Internet-Draft KDC Information Model July 2007
396 6. Information model specification
398 6.1. Principal
400 The fundamental entity stored in a KDC is the principal. The
401 principal is associated to keys and generalizes the "user" concept.
402 The principal MUST be implemented in full and MUST NOT be optional in
403 an implementation
405 6.1.1. Principal: Attributes
407 6.1.1.1. principalName
409 The principalName MUST uniquely identify the principal within the
410 administrative context of the KDC. The type of the principalName is
411 not described in this document. It is a unique identifier and can be
412 viewed as an opaque which can be compared for equality.
414 6.1.1.2. principalNotUsedBefore
416 The principal may not be used before this date. The syntax of the
417 attribute MUST be semantically equivalent with the standard ISO date
418 format.
420 6.1.1.3. principalNotUsedAfter
422 The principal may not be used after this date. The syntax of the
423 attribute MUST be semantically equivalent with the standard ISO date
424 format.
426 6.1.1.4. principalIsDisabled
428 A boolean attribute used to temporarily disable a principal.
430 6.1.1.5. principalAliases
432 This multivalued attribute contains a set of aliases for the
433 principal.
435 6.1.2. Principal: Associations
437 Each principal MAY be associated with 1 or more KeySet and MAY be
438 associated with 1 or more Policies. The KeySet is represented as an
439 object in this model since it has attributes associated with it (the
440 key version number). In typical situations the principal is
441 associated with exactly 1 KeySet but implementations MUST NOT assume
442 this case, i.e an implemenation of this standard (e.g an LDAP schema)
443 MUST be able to handle the general case of multiple KeySet associated
447 Johansson Expires January 9, 2008 [Page 8]
448 \f
449 Internet-Draft KDC Information Model July 2007
452 with each principal.
454 6.1.3. Principal: Remarks
456 Traditionally a principal consists of a local-part and a realm
457 denoted in string form by local-part@REALM. The realm concept is
458 used to provide administrative boundaries and together with cross-
459 realm authentication provides scalability to Kerberos 5. However the
460 realm is not central to an administrative information model. For
461 instance the initialization or creation of a realm is equivalent to
462 creating a specific set of principals (krbtgt@REALM, etc) which is
463 covered by the model and services described in this document. A
464 realm is typically associated with policy covering (for instance)
465 keying and password management. The management of such policy and
466 their association to realms is beyond the scope of this document.
468 6.2. KeySet
470 A KeySet is a set of keys associated with exactly one principal.
471 This object and its associations MUST NOT be REQUIRED by an
472 implementation. It is expected that most implementations of this
473 standard will use the set/change password protocol for all aspects of
474 key management [I-D.ietf-krb-wg-kerberos-set-passwd]. This
475 information model only includes these objects for the sake of
476 completenes.
478 6.2.1. KeySet: Attributes
480 6.2.1.1. keySetVersionNumber
482 This is traditionally called the key version number (kvno).
484 6.2.2. KeySet: Associations
486 To each KeySet MUST be associated a set of 1 or more Keys.
488 6.2.3. KeySet: Remarks
490 The reason for separating the KeySet from the Principal is security.
491 The security of Kerberos 5 depends absolutely on the security of the
492 keys stored in the KDC. The KeySet type is provided to make this
493 clear and to make separation of keys from other parts of the model
494 clear.
496 Implementations of this standard (eg an LDAP schema) MUST preserve
497 this distinction.
503 Johansson Expires January 9, 2008 [Page 9]
504 \f
505 Internet-Draft KDC Information Model July 2007
508 6.3. Key
510 Implementations of this model MUST NOT REQUIRE keys to be
511 represented.
513 6.3.1. Key: Attributes
515 6.3.1.1. keyEncryptionType
517 The enctype. The precise representation depends on the
518 implementation.
520 6.3.1.2. keyValue
522 The binary representation of the key data.
524 6.3.1.3. keySaltValue
526 The binary representation of the key salt.
528 6.3.1.4. keyStringToKeyParameter
530 The syntax of this opaque object is defined by the encryption type
531 used.
533 6.3.1.5. keyNotUsedAfter
535 This key MUST NOT be used after this date. The syntax of the
536 attribute MUST be semantically equivalent with the standard ISO date
537 format.
539 6.3.1.6. keyNotUsedBefore
541 This key MUST NOT be used before this date. The syntax of the
542 attribute MUST be semantically equivalent with the standard ISO date
543 format.
545 6.3.1.7. keyIsDisabled
547 If this attribute is true the key MUST NOT be used. This is used to
548 temporarily disable a key.
550 6.3.2. Key: Associations
552 None
559 Johansson Expires January 9, 2008 [Page 10]
560 \f
561 Internet-Draft KDC Information Model July 2007
564 6.3.3. Key: Remarks
566 The security of the keys is an absolute requirement for the operation
567 of Kerberos 5. If keys are implemented adequate protection from
568 unauthorized modification and disclosure MUST be available and
569 REQUIRED by the implementation.
571 6.4. Policy
573 Implementations SHOULD implement policy but MAY allow them to be
574 OPTIONAL.
576 6.4.1. Policy: Attributes
578 6.4.1.1. policyIdentifier
580 The policyIdentifier MUST be unique within the local administrative
581 context and MUST be globally unique. Possible types of identifiers
582 include:
584 An Object Identifier (OID)
586 A URN
588 A UUID
590 6.4.1.2. policyIsMandatory
592 This attribute indicates that the KDC MUST be able to correctly
593 interpret and apply this policy for the key to be used.
595 6.4.1.3. policyContent
597 This is an optional opaque binary value used to store a
598 representation of the policy. In general a policy cannot be fully
599 expressed using attribute-value pairs. The policyContent is OPTIONAL
600 in the sense that an implementation MAY use it to store an opaque
601 value for those policy-types which are not directly representable in
602 that implementation.
604 6.4.2. Password Quality Policy
606 6.4.2.1. Password Quality Policy: Attributes
608 Password quality policy controls the requirements placed by the KDC
609 on new passwords. TODO: update with information from Nico
615 Johansson Expires January 9, 2008 [Page 11]
616 \f
617 Internet-Draft KDC Information Model July 2007
620 6.4.3. Password Management Policy
622 6.4.3.1. Password Management Policy: Attributes
624 Password management policy controls how passwords are changed. TODO:
625 update with information from Nico and Ludovic
627 6.4.4. Keying Policy
629 6.4.4.1. Keying Policy: Attributes
631 A keying policy specifies the association of enctypes with new
632 principals, i.e when a principal is created one of the possibly many
633 applicable keying policies determine the set of keys to associate
634 with the principal. In general the expression of a keying policy may
635 require a Turing-complete language.
671 Johansson Expires January 9, 2008 [Page 12]
672 \f
673 Internet-Draft KDC Information Model July 2007
676 7. Implementation Scenarios
678 There are several ways to implement an administrative service for
679 Kerberos 5 based on this information model. In this section we list
680 a few of them.
682 7.1. LDAP backend to KDC
684 Given an LDAP schema implementation of this information model it
685 would be possible to build an administrative service by backending
686 the KDC to a directory server where principals and keys are stored.
687 Using the security mechanisms available on the directory server keys
688 are protected from access by anyone apart from the KDC.
689 Administration of the principals, policy and other non-key data is
690 done through the directory server while the keys are modified using
691 the set/change password protocol
692 [I-D.ietf-krb-wg-kerberos-set-passwd].
694 7.2. LDAP frontend to KDC
696 An alternative way to provide a directory interface to the KDC is to
697 implement an LDAP-frontend to the KDC which exposes all non-key
698 objects as entries and attributes. As in the example above all keys
699 are modified using the set/change password protocol
700 [I-D.ietf-krb-wg-kerberos-set-passwd]. In this scenario the
701 implementation would typically not use a traditional LDAP
702 implementation but treat LDAP as an access-protocol to data in the
703 native KDC database.
705 7.3. SOAP
707 Given an XML schema implementation of this information model it would
708 be possible to build a SOAP-interface to the KDC. This demonstrates
709 the value of creating an abstract information model which is mappable
710 to multiple schema representations.
727 Johansson Expires January 9, 2008 [Page 13]
728 \f
729 Internet-Draft KDC Information Model July 2007
732 8. Security Considerations
734 This document describes an abstract information model for Kerberos 5.
735 The Kerberos 5 protocol depends on the security of the keys stored in
736 the KDC. The model described here assumes that keys MUST NOT be
737 transported in the clear over the network and furthermore that keys
738 are treated as write-only attributes that SHALL only be modified
739 (using the administrative interface) by the change-password protocol
740 [I-D.ietf-krb-wg-kerberos-set-passwd].
742 Exposing the object model of a KDC typically implies that objects can
743 be modified and/or deleted. In a KDC not all principals are created
744 equal, so that for instance deleting krbtgt/EXAMPLE.COM@EXAMPLE.COM
745 effectively disables the EXAMPLE.COM realm. Hence access control is
746 paramount to the security of any implementation. This document does
747 not (at the time of writing - leifj) mandate access control. This
748 only implies that access control is beyond the scope of the standard
749 information model, i.e that access control MAY NOT be accessible via
750 any protocol based on this model. If access control objects is
751 exposed via an extension to this model the presence of access control
752 may in itself provide points of attack by giving away information
753 about principals with elevated rights etc. etc.
783 Johansson Expires January 9, 2008 [Page 14]
784 \f
785 Internet-Draft KDC Information Model July 2007
788 9. IANA Considerations
790 None
839 Johansson Expires January 9, 2008 [Page 15]
840 \f
841 Internet-Draft KDC Information Model July 2007
844 10. Remarks
846 A few notes and TODOs:
848 Do we want to model access control? I have received a few notes
849 on that from Love. It will affect both the model and the security
850 considerations but It may be relevant. The catch is that most
851 implementations (SOAP, LDAP, etc) will have acl mechanisms
852 separate from the data which makes modeling acls difficult.
853 Perhaps there are certain aspects of access control which can be
854 modeled with relative ease - for instance the ability to make an
855 object immutable.
857 Explanatory text on a few of the basic attributes that doesn't
858 just repeat the section title.
860 Expand on the password policy types. Is the subdivision into
861 quality and management policies valid?
895 Johansson Expires January 9, 2008 [Page 16]
896 \f
897 Internet-Draft KDC Information Model July 2007
900 11. References
902 11.1. Normative References
904 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
905 Requirement Levels", BCP 14, RFC 2119, March 1997.
907 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
908 Kerberos Network Authentication Service (V5)", RFC 4120,
909 July 2005.
911 11.2. Informative References
913 [I-D.ietf-krb-wg-kerberos-set-passwd]
914 Williams, N., "Kerberos Set/Change Key/Password Protocol
915 Version 2", draft-ietf-krb-wg-kerberos-set-passwd-06 (work
916 in progress), March 2007.
951 Johansson Expires January 9, 2008 [Page 17]
952 \f
953 Internet-Draft KDC Information Model July 2007
956 Author's Address
958 Leif Johansson
959 Stockholm university
960 Sektionen foer IT och Media
961 Stockholm SE-106 91
963 Email: leifj@it.su.se
964 URI: http://people.su.se/~leifj/
1007 Johansson Expires January 9, 2008 [Page 18]
1008 \f
1009 Internet-Draft KDC Information Model July 2007
1012 Full Copyright Statement
1014 Copyright (C) The IETF Trust (2007).
1016 This document is subject to the rights, licenses and restrictions
1017 contained in BCP 78, and except as set forth therein, the authors
1018 retain all their rights.
1020 This document and the information contained herein are provided on an
1021 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1022 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1023 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1024 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1025 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1026 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1029 Intellectual Property
1031 The IETF takes no position regarding the validity or scope of any
1032 Intellectual Property Rights or other rights that might be claimed to
1033 pertain to the implementation or use of the technology described in
1034 this document or the extent to which any license under such rights
1035 might or might not be available; nor does it represent that it has
1036 made any independent effort to identify any such rights. Information
1037 on the procedures with respect to rights in RFC documents can be
1038 found in BCP 78 and BCP 79.
1040 Copies of IPR disclosures made to the IETF Secretariat and any
1041 assurances of licenses to be made available, or the result of an
1042 attempt made to obtain a general license or permission for the use of
1043 such proprietary rights by implementers or users of this
1044 specification can be obtained from the IETF on-line IPR repository at
1045 http://www.ietf.org/ipr.
1047 The IETF invites any interested party to bring to its attention any
1048 copyrights, patents or patent applications, or other proprietary
1049 rights that may cover technology that may be required to implement
1050 this standard. Please address the information to the IETF at
1051 ietf-ipr@ietf.org.
1054 Acknowledgment
1056 Funding for the RFC Editor function is provided by the IETF
1057 Administrative Support Activity (IASA).
1063 Johansson Expires January 9, 2008 [Page 19]
1064 \f