ASID Working Group                               Jeff Hodges, Stanford
INTERNET-DRAFT                               RL "Bob" Morgan, Stanford
                                        Mark Wahl, Critical Angle Inc.
                                                             May,
                                                            June, 1997

              Lightweight Directory Access Protocol (v3):
                 Extension for Transport Layer Security
                   draft-ietf-asid-ldapv3-tls-00.txt
                   draft-ietf-asid-ldapv3-tls-01.txt

1.  Status of this Memo

This document is an Internet-Draft.  Internet-Drafts are  working  docu-
ments  of the Internet Engineering Task Force (IETF), its areas, and its
working groups.  Note that other  groups  may  also  distribute  working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum  of  six  months
and  may  be  updated,  replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''

To learn the current status of  any  Internet-Draft,  please  check  the
``1id-abstracts.txt''  listing  contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net  (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

2.  Abstract

This document defines the "Start Transport Layer Security  (TLS)  Opera-
tion" for LDAP [LDAPv3, TLS]. This operation provides for TLS establish-
ment in an LDAP association and is defined in terms of an LDAP  extended
operation.
request.

The key words "MUST", "SHOULD", and "MAY" used in this document  are  to
be interpreted as described in [Bradner97].

3.  The Start TLS Operation

3.1.  Requesting TLS Establishment

A client may perform a Start TLS operation by transmitting an  LDAP  PDU
containing  an ExtendedRequest [LDAPv3] specifying the OID for the Start
TLS operation:

     [To Be Determined]

     1.3.6.1.4.1.1466.20037

An LDAP ExtendedRequest is defined as follows:

     ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
             requestName             [0] LDAPOID,
             requestValue            [1] OCTET STRING OPTIONAL }

A Start TLS extended request is formed by setting the requestName  field
to  the  OID string given above.  The requestValue field is absent.  The
client MUST NOT send any PDUs on this connection following this  request
until it receives a Start TLS extended response.

When a Start TLS extended request is made, the  server  MUST  return  an
LDAP  PDU  containing  a  Start  TLS  extended response.  An LDAP Exten-
dedResponse is defined as follows:

     ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
             responseName            [0] LDAPOID OPTIONAL,
             response                [1] OCTET STRING OPTIONAL,
             standardResponse        [2] LDAPResult }

A Start TLS extended response MUST contain a  responseName  field  which
MUST be set to the same string as that present in the Start TLS extended
request.  The  response  field  is  absent.  The  server  MUST  set  the
resultCode of the standardResponse field to either success or one of the
other values outlined in section 3.3.

3.2.  "Success" Response

If the standardResponse field contains a  resultCode  of  success,  this
indicates that the server is willing and able to negotiate TLS.  At this
point the client, which has ceased to transfer LDAP requests on the con-
nection,  MUST  either begin a TLS negotiation.  The negotiation, or close the connection.
In the former case, the client will send PDUs in the TLS Record Protocol
directly over the underlying TCP bytestream to the server.

After the TLS connection is established, both parties MUST  individually
decide  whether  or not to continue based on the privacy level achieved.
Ascertaining the TLS connection's privacy level is implementation depen-
dent,  and accomplished by communicating with one's respective local TLS
implementation.

If the client or server decides that  the  level  of  authentication  or
privacy  is  not high enough for it to continue, it SHOULD close the TLS
connection immediately after  the  TLS  negotiation  has  completed,  to
disconnect  the  TLS service and return to an LDAP connection as discussed in state (see section 5 [see Open Issues, below]. 5,
below). This will cause the client's  authorization identity to be reset
to  anonymous. The client MAY attempt to Start TLS again, or MAY send an
unbind request, or send any other LDAP request.

3.3.  Response other than "success"

If the standardResponse field contains a resultCode other than  success,
this indicates that the server is unwilling or unable to negotiate TLS.

If the Start TLS extended request was  not  successful,  the  resultCode
will be one of:

     - operationsError (operations sequencing incorrect; e.g. TLS already
                        established)
     - protocolError (TLS not supported or incorrect PDU structure)
     - referral (this server doesn't do TLS, try this one)
     - unavailable (e.g. some major problem with TLS, or server is
                    shutting down)

The server MUST return operationsError if the client violates any of the
Start  TLS  extended operation sequencing requirements described in sec-
tion 4, below.

If the server does not support TLS (whether by design or by current con-
figuration),  it  MUST  set the resultCode to protocolError (see section
4.1.1 of [LDAPv3]), or to referral. The server MUST  include  an  actual
referral  value  in the LDAP Result if it returns a resultCode of refer-
ral. The client's current session is unaffected if the the server  does  not
support  TLS.  The client MAY proceed with any LDAP operation, or it MAY
close the connection.

The server MUST return unavailable if it supports TLS but cannot  estab-
lish  a  TLS connection for some reason, e.g. the certificate server not
responding, it cannot contact its TLS implementation, or if  the  server
is in process of shutting down. The client MAY retry the StartTLS opera-
tion, or it MAY proceed with any other LDAP operation, or it  MAY  close
the connection.

4.  Sequencing of the Start TLS Operation

The client MAY send the Start TLS extended request  at  any  time once  the  after
establishing an LDAP association has been established, association, except during that in the following cases the
client MUST NOT send a SASL negotiation,
or Start TLS extended request:

     - if TLS is currently established on the connection, or
     - during a multi-stage SASL negotiation, or
     - if there are any LDAP operations outstanding on the connection.

The result of violating any of these requirements is described above  in
section 3.3.

The client may MAY have already completed the bind process perfomed a Bind operation when  it  sends  a
Start TLS request, or the client may might have not yet bound.

If the client did not establish a  TLS  connection  before  sending  any
other  requests,  and  the server requires the client to establish a TLS
connection before performing  a  particular  request,  the  server  MUST
reject that request with a confidentialityRequired or strongAuthRequired
result. The client MAY send a Start TLS  extended  request,  or  it  MAY
choose to close the connection.

5.  Closing a TLS Connection

Closing a

5.1.  Graceful Closure

Either the client or server MAY terminate the TLS connection requires  termination  of on an  LDAP
association  by  sending  a  TLS closure alert. This will leave the  overlying LDAP
association  [see Open Issues, below]. The intact.

Before closing a TLS protocol interactions connection, the client MUST  either  wait  for
TLS closure are described in [TLS]. The  any
outstanding  LDAP  operations specified  below

are described in  to  complete,  or explicitly abandon them
[LDAPv3].

5.1.  Client-initiated Closure

A client MAY initiate TLS, and thus  LDAP,  connection

After the initiator of a close has sent a closure  at alert, it MUST discard
any
time. It MAY initiate the termination by first performing  TLS  messages  until it has received an LDAP Unbind
Operation. alert from the other party.
It MUST then initiate will cease to send  TLS  Record  Protocol  PDUs,  and  underlying  transport  closure
according  to  following  the procedures required by
reciept of the particular TLS implementa-
tion being utilized.

5.2.  Server-initiated Closure

A server alert, MAY initiate TLS, and thus  LDAP,  connection  closure  at  any
time.  It  SHOULD  first send  an and receive LDAP Notice of Disconnection with the
appropriate resultCode value to the client.  It PDUs.

The other party, if  it  receives  a  closure  alert,  MUST  then  immediately
initiate
transmit  a  TLS  and  underlying  transport  closure according  alert.  It will subequently cease to send TLS
Record Protocol PDUs, and MAY send and receive LDAP PDUs.

5.2.  Abrupt Closure

Either the pro-
cedures required by client or server MAY abruptly close the particular entire LDAP  associa-
tion and any TLS implementation being utilized. connection established on it by dropping the underlying
TCP connection. A server MAY beforehand send  the  client  a  Notice  of
Disconnection [LDAPv3] in this case.

6.  Effects of TLS Establishment on an LDAP Connection

The the Client's Authorization Identity

Upon establishment of the TLS into connection onto the LDAP protocol stack  causes  any  out-
standing  requests  from association,  the client to be implicitly abandoned. However,
it does not affect
server  MAY  base  the authentication credentials of  client's  authorization identity on the client nor  its
associated client's
negotiated  TLS  credentials,  overriding  any  previously   established
credentials  and authorization identity.   If  the  client  had bound to the
server Otherwise, any previously on this association, that esta-
blished credentials and authorization identity  MUST  remain  in force.  If  force,
including anonymous cedentials and identity in the case where the client
had not bound, then the connection MUST
remain in an anonymous authentication and authorization state.

The previously bound.

A client MAY explicitly request that its authenticated  TLS  credentials
be  used  as  the  source  for  its LDAP authorization identity, or it MAY request use of
other credentials.

Requesting that the server use the negotiated TLS credentials  for  LDAP
authorization identity. This is
accomplished after TLS establishment by invoking a Bind request  of  the
SASL  form  with  a  negotiated mechanism name of "EXTERNAL" [SASL]. The  creden-
tials
credentials field MAY contain the client's  distinguished  name  (as  an
LDAP
string).  string),  or  it MAY be empty.  If it does contain a distinguished
name, this name MUST match
that the authorization identity negotiated by  TLS
as  the  client's  identity.  The client MAY leave It is a matter of local policy what consti-
tutes a match. In the credentials field empty. absence of local policy, the default matching pol-
icy  compares  for  equality.  The termination server MUST reject the Bind operation
with an invalidCredentials resultCode in the Bind response  if  they  do
not match.

Closure of the TLS connection MUST cause the connection LDAP association to move to
an  anonymous  authentication  and authorization state irregardless regardless of the
state esta-
blished established over TLS and irregardless  regardless  of  the  authentication  and  authoriza-
tion
authorization state prior to TLS connection establishment.

7.  Security Considerations

The goals of using the TLS protocol with LDAP are to  ensure  connection
confidentiality and integrity, and to optionally provide for authentica-
tion. TLS expressly provides these capabilities, as described in [TLS].

All security gained via use of the Start TLS operation is gained by  the
use of TLS itself. The Start TLS operation, on its own, does not provide
any additional security.

The use of TLS does not provide or  ensure  for  confidentiality  and/or
non-repudiation  of  the  data housed by an LDAP-based directory server.
Once established, TLS only provides for and ensures confidentiality  and
integrity  of  the operations and data in transit over the LDAP associa-
tion.

The level of security provided though
tion, and only if the implementations on the client and  server  support
and negotiate it.

The level of security provided though the use of TLS depends directly on
both  the  quality of the TLS implementation used and the style of usage
of that implementation. Both parties SHOULD independently ascertain  and
consent to the privacy level achieved once TLS is established and before
begining use of the TLS connection. For example, the  privacy  level  of
the TLS connection might have been negotiated down to plaintext.

Client and server implementors SHOULD take  measures  to  ensure  proper
protection  of  credentials and other confidential data where such meas-
ures are not otherwise provided by the TLS implementation.

Server implementors SHOULD allow  for  server  administrators  to  elect
whether and when connection confidentiality is required required.

8.  Acknowledgements

The authors thank Tim Howes and Paul Hoffman for what
portions of the DIT (served by the server) it applies to.

8. their contributions  to
this document.

9.  References

[Bradner97]
     Scott Bradner, "Key Words for use in RFCs to  Indicate  Requirement
     Levels", Internet Draft, RFC 2119.

[LDAPv3]
     M. Wahl, S. Kille and T. Howes, "Lightweight Directory Access  Pro-
     tocol  (v3)",  Internet  Draft, February, 1997. Available as draft-
     ietf-asid-ldapv3-protocol-04.txt.

[TLS]Tim Dierks, C. Allen, "The  TLS  Protocol  Version  1.0",  Internet
     Draft, March 1997. Available as draft-ietf-tls-protocol-03.txt

[SASL]J. Myers,  "Simple  Authentication  and  Security  Layer  (SASL)",
     Internet  Draft,  April  1997.  Available as draft-myers-auth-sasl-
     10.txt

9.  Open Issues

9.1.  TLS Closure

[TLS] discusses TLS closure in section 7.2.1. This section implies  that
closing  a  TLS  connection assumes closure of the underlying transport.
Thus, closing TLS, but retaining both the  overlying  application  layer
(LDAP, in this case) and the underlying transport is not explicitly sup-
ported.

Modifications to [TLS] are required if there are requirements  for  con-
tinuing an LDAP association across a TLS connection closure.

Below is suggested alternative text for the "Closing a  TLS  Connection"
section of this document that COULD be used if [TLS] is so modified:

     Either the client or server MAY terminate the TLS  service  on  the
     connection  by  sending  a  TLS  closure alert. TLS closure has the
     effect of abandoning any outstanding LDAP protocol requests.

     After the initiator of a close has sent a closure  alert,  it  MUST
     discard  any  TLS  messages until it has received an alert from the
     other party.  It will cease to send TLS Record Protocol  PDUs,  and
     following the reciept of the alert, MAY send and receive LDAP PDUs.

     The other party, if it receives a closure alert,  MUST  immediately
     transmit  a  TLS  closure alert.  It will subequently cease to send
     TLS Record Protocol PDUs, and MAY send and receive LDAP PDUs.

Additionally, below is suggested alternative text for the last paragraph

of the "Success Response" section:

     If the client or server decides that the level of authentication or
     privacy is not high enough for it to continue, it SHOULD send a TLS
     closure alert immediately after the TLS negotiation has  completed,
     to  disconnect  the TLS service and return to an LDAP state.  (This
     will cause the authorization to be reset to anonymous.)  The client
     MAY  attempt  to Start TLS again, or MAY send an unbind request, or
     send any other LDAP request.

10.  Author's Address

   Jeff Hodges
   Computing & Communication Services
   Stanford University
   115 Pine Hall
   Stanford, CA 94305-4122
   USA

   Phone: +1-415-723-2452
   EMail: Jeff.Hodges@Stanford.edu

   RL "Bob" Morgan
   Computing & Communication Services
   Stanford University
   115 Pine Hall
   Stanford, CA 94305-4122
   USA

   Phone: +1-415-723-9711
   EMail: Bob.Morgan@Stanford.edu

   Mark Wahl
   Critical Angle Inc.
   4815 W. Braker Lane #502-385
   Austin, TX 78759
   USA

   EMail:  M.Wahl@critical-angle.com