draft-ietf-krb-wg-anon-09.txt   draft-ietf-krb-wg-anon-10.txt 
NETWORK WORKING GROUP L. Zhu NETWORK WORKING GROUP L. Zhu
Internet-Draft P. Leach Internet-Draft P. Leach
Updates: 4120 (if approved) Microsoft Corporation Updates: 4120, 4121 and 4556 Microsoft Corporation
Intended status: Standards Track September 10, 2008 (if approved) October 8, 2008
Expires: March 14, 2009 Intended status: Standards Track
Expires: April 11, 2009
Anonymity Support for Kerberos Anonymity Support for Kerberos
draft-ietf-krb-wg-anon-09 draft-ietf-krb-wg-anon-10
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 14, 2009. This Internet-Draft will expire on April 11, 2009.
Abstract Abstract
This document defines extensions to the Kerberos protocol for the This document defines extensions to the Kerberos protocol to allow a
Kerberos client to authenticate the Kerberos Key Distribution Center Kerberos client to securely communicate with a Kerberos application
(KDC) and the Kerberos server, without revealing the client's service without revealing its identity, or without revealing more
identity or the client's realm to the server or to the KDC. It than its Kerberos realm. It also defines extensions which allow a
updates RFC 4120. These extensions can be used to secure Kerberos client to obtain anonymous credentials without revealing its
communication between the anonymous client and the server. identity to the Kerberos Key Distribution Center (KDC). This
document updates RFC 4120, RFC 4121, and RFC 4556.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 5 4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 5
4.1. Anonymity Support in AS Exchange . . . . . . . . . . . . . 5 4.1. Anonymity Support in AS Exchange . . . . . . . . . . . . . 5
4.1.1. Anonymous PKINIT . . . . . . . . . . . . . . . . . . . 6 4.1.1. Anonymous PKINIT . . . . . . . . . . . . . . . . . . . 6
4.2. Anonymity Support in TGS Exchange . . . . . . . . . . . . 7 4.2. Anonymity Support in TGS Exchange . . . . . . . . . . . . 7
skipping to change at page 13, line 37 skipping to change at page 13, line 37
of the association of identities to an anonymous ticket, then someone of the association of identities to an anonymous ticket, then someone
obtaining such records could breach the anonymity. Additionally, the obtaining such records could breach the anonymity. Additionally, the
implementations of most (for now all) KDC's respond to requests at implementations of most (for now all) KDC's respond to requests at
the time that they are received. Traffic analysis on the connection the time that they are received. Traffic analysis on the connection
to the KDC will allow an attacker to match client identities to to the KDC will allow an attacker to match client identities to
anonymous tickets issued. Because there are plaintext parts of the anonymous tickets issued. Because there are plaintext parts of the
tickets that are exposed on the wire, such matching by a third party tickets that are exposed on the wire, such matching by a third party
observer is relatively straightforward. A service that is observer is relatively straightforward. A service that is
authenticated by the anonymous principals may be able to infer the authenticated by the anonymous principals may be able to infer the
identity of the client by examining and linking quasi-static protocol identity of the client by examining and linking quasi-static protocol
information such as the IP address from which a request is received. information such as the IP address from which a request is received,
or by linking multiple uses of the same anonymous ticket.
The client's real identity is not revealed when the client is The client's real identity is not revealed when the client is
authenticated as the anonymous principal. Application servers MAY authenticated as the anonymous principal. Application servers MAY
reject the authentication in order to, for example, prevent reject the authentication in order to, for example, prevent
information disclosure or as part of Denial of Service (DOS) information disclosure or as part of Denial of Service (DOS)
prevention. Application servers MUST avoid accepting anonymous prevention. Application servers MUST avoid accepting anonymous
credentials in situations where they must record the client's credentials in situations where they must record the client's
identity; for example, when there must be an audit trail. identity; for example, when there must be an audit trail.
9. Acknowledgements 9. Acknowledgements
 End of changes. 5 change blocks. 
12 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/