draft-ietf-krb-wg-anon-11.txt   draft-ietf-krb-wg-anon-12.txt 
NETWORK WORKING GROUP L. Zhu NETWORK WORKING GROUP L. Zhu
Internet-Draft P. Leach Internet-Draft P. Leach
Updates: 4120, 4121 and 4556 Microsoft Corporation Updates: 4120, 4121 and 4556 Microsoft Corporation
(if approved) S. Hartman (if approved) S. Hartman
Intended status: Standards Track Painless Security Intended status: Standards Track Painless Security
Expires: December 31, 2010 June 29, 2010 Expires: March 3, 2011 August 30, 2010
Anonymity Support for Kerberos Anonymity Support for Kerberos
draft-ietf-krb-wg-anon-11 draft-ietf-krb-wg-anon-12
Abstract Abstract
This document defines extensions to the Kerberos protocol to allow a This document defines extensions to the Kerberos protocol to allow a
Kerberos client to securely communicate with a Kerberos application Kerberos client to securely communicate with a Kerberos application
service without revealing its identity, or without revealing more service without revealing its identity, or without revealing more
than its Kerberos realm. It also defines extensions which allow a than its Kerberos realm. It also defines extensions which allow a
Kerberos client to obtain anonymous credentials without revealing its Kerberos client to obtain anonymous credentials without revealing its
identity to the Kerberos Key Distribution Center (KDC). This identity to the Kerberos Key Distribution Center (KDC). This
document updates RFC 4120, RFC 4121, and RFC 4556. document updates RFC 4120, RFC 4121, and RFC 4556.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on March 3, 2011.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 31, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this 10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 4
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 5 4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 6
4.1. Anonymity Support in AS Exchange . . . . . . . . . . . . . 5 4.1. Anonymity Support in AS Exchange . . . . . . . . . . . . . 6
4.1.1. Anonymous PKINIT . . . . . . . . . . . . . . . . . . . 6 4.1.1. Anonymous PKINIT . . . . . . . . . . . . . . . . . . . 7
4.2. Anonymity Support in TGS Exchange . . . . . . . . . . . . 7 4.2. Anonymity Support in TGS Exchange . . . . . . . . . . . . 8
4.3. Subsequent Exchanges and Protocol Actions Common to AS 4.3. Subsequent Exchanges and Protocol Actions Common to AS
and TGS for Anonymity Support . . . . . . . . . . . . . . 9 and TGS for Anonymity Support . . . . . . . . . . . . . . 10
5. Interoperability Requirements . . . . . . . . . . . . . . . . 10 5. Interoperability Requirements . . . . . . . . . . . . . . . . 11
6. GSS-API Implementation Notes . . . . . . . . . . . . . . . . . 10 6. GSS-API Implementation Notes . . . . . . . . . . . . . . . . . 11
7. PKINIT Client Contribution to the Ticket Session Key . . . . . 11 7. PKINIT Client Contribution to the Ticket Session Key . . . . . 12
7.1. Combinging Two protocol Keys . . . . . . . . . . . . . . . 12 7.1. Combinging Two protocol Keys . . . . . . . . . . . . . . . 13
8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
11.1. Normative References . . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . . 15
11.2. Informative References . . . . . . . . . . . . . . . . . . 15 11.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
In certain situations, the Kerberos [RFC4120] client may wish to In certain situations, the Kerberos [RFC4120] client may wish to
authenticate a server and/or protect communications without revealing authenticate a server and/or protect communications without revealing
the client's own identity. For example, consider an application the client's own identity. For example, consider an application
which provides read access to a research database, and which permits which provides read access to a research database, and which permits
queries by arbitrary requestors. A client of such a service might queries by arbitrary requestors. A client of such a service might
wish to authenticate the service, to establish trust in the wish to authenticate the service, to establish trust in the
information received from it, but might not wish to disclose the information received from it, but might not wish to disclose the
skipping to change at page 15, line 35 skipping to change at page 15, line 35
This document defines a new 'anonymous' Kerberos well-known name and This document defines a new 'anonymous' Kerberos well-known name and
a new 'anonymous' Kerberos well-known realm based on [KRBNAM]. IANA a new 'anonymous' Kerberos well-known realm based on [KRBNAM]. IANA
is requested to add these two values to the Kerberos naming is requested to add these two values to the Kerberos naming
registries that are created in [KRBNAM]. registries that are created in [KRBNAM].
11. References 11. References
11.1. Normative References 11.1. Normative References
[ASAX34] American Standards Institute, "American Standard Code for
Information Interchange", ASA X3.4-1963, June 1963.
[KRBNAM] Zhu, L., "Additional Kerberos Naming Constraints", [KRBNAM] Zhu, L., "Additional Kerberos Naming Constraints",
draft-ietf-krb-wg-naming (work in progress), 2008. draft-ietf-krb-wg-naming (work in progress), 2008.
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June 1996. RFC 1964, June 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
 End of changes. 9 change blocks. 
33 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/