draft-ietf-krb-wg-ocsp-for-pkinit-03.txt   draft-ietf-krb-wg-ocsp-for-pkinit-04.txt 
NETWORK WORKING GROUP L. Zhu NETWORK WORKING GROUP L. Zhu
Internet-Draft K. Jaganathan Internet-Draft K. Jaganathan
Expires: June 3, 2005 Microsoft Corporation Expires: August 4, 2005 Microsoft Corporation
N. Williams N. Williams
Sun Microsystems Sun Microsystems
December 3, 2004 January 31, 2005
OCSP Support for PKINIT OCSP Support for PKINIT
draft-ietf-krb-wg-ocsp-for-pkinit-03 draft-ietf-krb-wg-ocsp-for-pkinit-04
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 3, 2005. This Internet-Draft will expire on August 4, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines a mechanism to enable in-band transmission of This document defines a mechanism to enable in-band transmission of
Online Certificate Status Protocol (OCSP) responses in the Kerberos Online Certificate Status Protocol (OCSP) responses in the Kerberos
network authentication protocol. These responses are used to verify network authentication protocol. These responses are used to verify
the validity of the certificates used in PKINIT - the Kerberos the validity of the certificates used in PKINIT - the Kerberos
Version 5 extension that provides for the use of public key Version 5 extension that provides for the use of public key
cryptography. cryptography.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 4 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Message Definition . . . . . . . . . . . . . . . . . . . . . . 5 3. Message Definition . . . . . . . . . . . . . . . . . . . . . . 3
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1 Normative References . . . . . . . . . . . . . . . . . . . . 9 7.1 Normative References . . . . . . . . . . . . . . . . . . . 5
7.2 Informative References . . . . . . . . . . . . . . . . . . . 9 7.2 Informative References . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 5
Intellectual Property and Copyright Statements . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . 7
1. Introduction 1. Introduction
Online Certificate Status Protocol (OCSP) [RFC2560] enables Online Certificate Status Protocol (OCSP) [RFC2560] enables
applications to obtain timely information regarding the revocation applications to obtain timely information regarding the revocation
status of a certificate. Because OCSP responses are well-bounded and status of a certificate. Because OCSP responses are well-bounded and
small in size, constrained clients may wish to use OCSP to check the small in size, constrained clients may wish to use OCSP to check the
validity of the certificates for Kerberos Key Distribution Center validity of the certificates for Kerberos Key Distribution Center
(KDC) in order to avoid transmission of large Certificate Revocation (KDC) in order to avoid transmission of large Certificate Revocation
Lists (CRLs) and therefore save bandwidth on constrained networks Lists (CRLs) and therefore save bandwidth on constrained networks
skipping to change at page 6, line 8 skipping to change at page 4, line 30
The client and the KDC SHOULD ignore invalid OCSP responses received The client and the KDC SHOULD ignore invalid OCSP responses received
via this mechanism, and they MAY implement CRL processing logic as a via this mechanism, and they MAY implement CRL processing logic as a
fall-back position, if the OCSP responses received via this mechanism fall-back position, if the OCSP responses received via this mechanism
alone are not sufficient for the verification of certificate alone are not sufficient for the verification of certificate
validity. The client and/or the KDC MAY ignore a valid OCSP response validity. The client and/or the KDC MAY ignore a valid OCSP response
and perform their own revocation status verification independently. and perform their own revocation status verification independently.
4. Security Considerations 4. Security Considerations
The pre-authentication data in this document do not actually The pre-authentication data in this document do not actually
authenticate any principals, and it is designed to be used in authenticate any principals, but is designed to be used in
conjunction with PKINIT. conjunction with PKINIT.
There is a downgrade attack against clients which want OCSP responses There is no binding between PA-PK-OCSP-RESPONSE pre-authentication
from the KDC for the KDC's certificates. The clients, however, can data and PKINIT pre-authentication data other than a given OCSP
treat the absence of valid OCSP responses as an error, based on their response corresponding to a certificate used in a PKINIT
local configuration. pre-authentication data element. Attacks involving removal or
replacement of PA-PK-OCSP-RESPONSE pre-authentication data elements
are, at worst, downgrade attacks, where a PKINIT client or KDC would
proceed without use of CRLs or OCSP for certificate validation, or
denial of service attacks, where a PKINIT client or KDC that cannot
validate the other's certificate without an accompanying OCSP
response might reject the AS exchange or where they might have to
download very large CRLs in order to continue. Kerberos V does not
protect against denial-of-service attacks, therefore the
denial-of-service aspect of these attacks are acceptable.
If a PKINIT client or KDC cannot validate certificates without the
aid of a valid PA-PK-OCSP-RESPONSE then it SHOULD fail the AS
exchange, possibly according to local configuration.
5. IANA Considerations 5. IANA Considerations
No IANA actions are required for this document. No IANA actions are required for this document.
6. Acknowledgements 6. Acknowledgements
This document was based on conversations among the authors, Jeffrey This document was based on conversations among the authors, Jeffrey
Altman, Sam Hartman, Martin Rex and other members of the Kerberos Altman, Sam Hartman, Martin Rex and other members of the Kerberos
working group. working group.
7. References 7. References
7.1 Normative References 7.1 Normative References
[CLARIFICATIONS] [CLARIFICATIONS]
Neuman, B., Yu, Y., Hartman, S. and K. Raeburn, "The RFC-Editor: To be replaced by RFC number for draft-ietf-
Kerberos Network Authentication Service (V5)", krb-wg-kerberos-clarifications. Work in Progress.
draft-ietf-krb-wg-kerberos-clarifications, work in
progress.
[PKINIT] Tung, B., Neuman, B. and S. Medvinsky, "Public Key [PKINIT] RFC-Editor: To be replaced by RFC number for draft-ietf-
Cryptography for Initial Authentication in Kerberos", cat-kerberos-pk-init. Work in Progress.
draft-ietf-cat-kerberos-pk-init, work in progress.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C. [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
Adams, "X.509 Internet Public Key Infrastructure Online Adams, "X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP", RFC 2560, June 1999. Certificate Status Protocol - OCSP", RFC 2560, June 1999.
[X690] ASN.1 encoding rules: Specification of Basic Encoding [X690] ASN.1 encoding rules: Specification of Basic Encoding
Rules (BER), Canonical Encoding Rules (CER) and Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER), ITU-T Recommendation Distinguished Encoding Rules (DER), ITU-T Recommendation
X.690 (1997) | ISO/IEC International Standard 8825-1:1998. X.690 (1997) | ISO/IEC International Standard 8825-1:1998.
7.2 Informative References 7.2 Informative References
[OCSP-PROFILE] [OCSP-PROFILE]
Deacon, A. and R. Hurst, "Lightweight OCSP Profile for RFC-Editor: To be replaced by RFC number for draft-deacon-
High Volume Environments", August 2004. lightweight-ocsp-profile. Work in Progress.
Authors' Addresses Authors' Addresses
Larry Zhu Larry Zhu
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
US US
EMail: lzhu@microsoft.com Email: lzhu@microsoft.com
Karthik Jaganathan Karthik Jaganathan
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
US US
EMail: karthikj@microsoft.com Email: karthikj@microsoft.com
Nicolas Williams Nicolas Williams
Sun Microsystems Sun Microsystems
5300 Riata Trace Ct 5300 Riata Trace Ct
Austin, TX 78727 Austin, TX 78727
US US
EMail: Nicolas.Williams@sun.com Email: Nicolas.Williams@sun.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
skipping to change at page 11, line 41 skipping to change at page 7, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/