draft-ietf-kitten-pkinit-freshness-04.txt   draft-ietf-kitten-pkinit-freshness-05.txt 
Kitten Working Group M. Short, Ed. Kitten Working Group M. Short, Ed.
Internet-Draft S. Moore Internet-Draft S. Moore
Intended status: Standards Track P. Miller Intended status: Standards Track P. Miller
Expires: September 22, 2016 Microsoft Corporation Expires: September 22, 2016 Microsoft Corporation
March 21, 2016 March 21, 2016
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
Freshness Extension Freshness Extension
draft-ietf-kitten-pkinit-freshness-04 draft-ietf-kitten-pkinit-freshness-05
Abstract Abstract
This document describes how to further extend the Public Key This document describes how to further extend the Public Key
Cryptography for Initial Authentication in Kerberos (PKINIT) Cryptography for Initial Authentication in Kerberos (PKINIT)
extension [RFC4556] to exchange an opaque data blob that a KDC can extension [RFC4556] to exchange an opaque data blob that a KDC can
validate to ensure that the client is currently in possession of the validate to ensure that the client is currently in possession of the
private key during a PKINIT AS exchange. private key during a PKINIT AS exchange.
Status of This Memo Status of This Memo
skipping to change at page 4, line 48 skipping to change at page 4, line 48
opaque blob in the freshnessToken field when the client generates the opaque blob in the freshnessToken field when the client generates the
PKAuthenticator for the PA_PK_AS_REQ message. This ensures that the PKAuthenticator for the PA_PK_AS_REQ message. This ensures that the
freshness token value will be included in the signed data portion of freshness token value will be included in the signed data portion of
the KRB_AS_REQ value. the KRB_AS_REQ value.
2.4. Receipt of KRB_AS_REQ Message 2.4. Receipt of KRB_AS_REQ Message
If the realm requires freshness and the PA_PK_AS_REQ message does not If the realm requires freshness and the PA_PK_AS_REQ message does not
contain the freshness token, the KDC MUST return a KRB_ERROR contain the freshness token, the KDC MUST return a KRB_ERROR
[RFC4120] message with the error-code KDC_ERR_PREAUTH_FAILED [RFC4120] message with the error-code KDC_ERR_PREAUTH_FAILED
[RFC6113] with a padata element with padata-type PA_AS_FRESHNESS and [RFC4120] with a padata element with padata-type PA_AS_FRESHNESS and
padata-value of the freshness token to the METHOD-DATA object. padata-value of the freshness token to the METHOD-DATA object.
When the PA_PK_AS_REQ message contains a freshness token, after When the PA_PK_AS_REQ message contains a freshness token, after
validating the PA_PK_AS_REQ message normally, the KDC will validate validating the PA_PK_AS_REQ message normally, the KDC will validate
the freshnessToken value in the PKAuthenticator in an implementation- the freshnessToken value in the PKAuthenticator in an implementation-
specific way. If the freshness token is not valid, the KDC MUST specific way. If the freshness token is not valid, the KDC MUST
return a KRB_ERROR [RFC4120] message with the error-code return a KRB_ERROR [RFC4120] message with the error-code
KDC_ERR_PREAUTH_EXPIRED [RFC6113]. The e-data field of the error KDC_ERR_PREAUTH_EXPIRED [RFC6113]. The e-data field of the error
contains a METHOD-DATA object [RFC4120] which specifies a valid contains a METHOD-DATA object [RFC4120] which specifies a valid
PA_AS_FRESHNESS padata-value. Since the freshness tokens are PA_AS_FRESHNESS padata-value. Since the freshness tokens are
 End of changes. 2 change blocks. 
2 lines changed or deleted 2 lines changed or added

This html diff was produced by rfcdiff 1.44. The latest version is available from http://tools.ietf.org/tools/rfcdiff/