draft-ietf-krb-wg-ocsp-for-pkinit-01.txt   draft-ietf-krb-wg-ocsp-for-pkinit-02.txt 
NETWORK WORKING GROUP L. Zhu NETWORK WORKING GROUP L. Zhu
Internet-Draft K. Jaganathan Internet-Draft K. Jaganathan
Expires: February 8, 2005 Microsoft Corporation Expires: May 21, 2005 Microsoft Corporation
N. Williams N. Williams
Sun Microsystems Sun Microsystems
August 10, 2004 November 20, 2004
OCSP Support for PKINIT OCSP Support for PKINIT
draft-ietf-krb-wg-ocsp-for-pkinit-01 draft-ietf-krb-wg-ocsp-for-pkinit-02
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 38 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 8, 2005. This Internet-Draft will expire on May 21, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2004).
Abstract Abstract
This document defines a mechanism to enable in-band transmission of This document defines a mechanism to enable in-band transmission of
OCSP responses. These responses are used to verify the validity of OCSP responses. These responses are used to verify the validity of
the certificates used in PKINIT - the Kerberos Version 5 extension the certificates used in PKINIT - the Kerberos Version 5 extension
that provides for the use of public key cryptography. that provides for the use of public key cryptography.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 4 2. Conventions Used in This Document . . . . . . . . . . . . . 4
3. Message Definition . . . . . . . . . . . . . . . . . . . . . . 5 3. Message Definition . . . . . . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . 10
1. Introduction 1. Introduction
Online Certificate Status Protocol (OCSP) [RFC2560] enables Online Certificate Status Protocol (OCSP) [RFC2560] enables
applications to obtain timely information regarding the revocation applications to obtain timely information regarding the revocation
status of a certificate. Because OCSP responses are well-bounded and status of a certificate. Because OCSP responses are well-bounded and
small in size, constrained clients may wish to use OCSP to check the small in size, constrained clients may wish to use OCSP to check the
validity of KDC certificates in order to avoid transmission of large validity of KDC certificates in order to avoid transmission of large
Certificate Revocation Lists (CRLs) and therefore save bandwidth on Certificate Revocation Lists (CRLs) and therefore save bandwidth on
constrained networks. constrained networks [OCSP-PROFILE].
This document defines a pre-authentication type [CLARIFICATIONS], This document defines a pre-authentication type [CLARIFICATIONS],
where the client and the KDC MAY piggyback OCSP responses for where the client and the KDC MAY piggyback OCSP responses for
certificates used in authentication exchanges, as defined in certificates used in authentication exchanges, as defined in
[PKINIT]. [PKINIT].
By using this OPTIONAL extension, PKINIT clients and the KDC can By using this OPTIONAL extension, PKINIT clients and the KDC can
maximize the reuse of cached OCSP responses. maximize the reuse of cached OCSP responses.
2. Conventions Used in This Document 2. Conventions Used in This Document
skipping to change at page 7, line 11 skipping to change at page 8, line 5
from the KDC for the KDC's certificates. The clients, however, can from the KDC for the KDC's certificates. The clients, however, can
treat the absence of valid OCSP responses as an error, based on their treat the absence of valid OCSP responses as an error, based on their
local configuration. local configuration.
5. IANA Considerations 5. IANA Considerations
This document defines a new pre-authentication type for use with This document defines a new pre-authentication type for use with
PKINIT to encode OCSP responses. The official value for this padata PKINIT to encode OCSP responses. The official value for this padata
identifier need to be acquired from IANA. identifier need to be acquired from IANA.
6 References 6. Acknowledgements
This document was based on conversations among the authors, Jeffrey
Altman, Sam Hartman, Martin Rex and other members of the Kerberos
working group.
7 References
[CLARIFICATIONS] [CLARIFICATIONS]
Neuman, B., Yu, Y., Hartman, S. and K. Raeburn, "The Neuman, B., Yu, Y., Hartman, S. and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", Kerberos Network Authentication Service (V5)",
draft-ietf-krb-wg-kerberos-clarifications, Work in draft-ietf-krb-wg-kerberos-clarifications, Work in
progress. progress.
[PKINIT] Tung, B. and B. Neuman, "Public Key Cryptography for [OCSP-PROFILE]
Initial Authentication in Kerberos", Deacon, A. and R. Hurst, "Lightweight OCSP Profile for
High Volume Environments",
draft-ietf-pkix-lightweight-ocsp-profile, Work in
progress.
[PKINIT] Tung, B., Neuman, B. and S. Medvinsky, "Public Key
Cryptography for Initial Authentication in Kerberos",
draft-ietf-cat-kerberos-pk-init, Work in progress. draft-ietf-cat-kerberos-pk-init, Work in progress.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C. [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
Adams, "X.509 Internet Public Key Infrastructure Online Adams, "X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP", RFC 2560, June 1999. Certificate Status Protocol - OCSP", RFC 2560, June 1999.
Authors' Addresses Authors' Addresses
skipping to change at page 9, line 47 skipping to change at page 10, line 47
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
This document was based on conversations among the authors, Jeffrey Funding for the RFC Editor function is currently provided by the
Altman, Sam Hartman, Martin Rex, and other members of the Kerberos Internet Society.
working group.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/