draft-ietf-krb-wg-ocsp-for-pkinit-05.txt   draft-ietf-krb-wg-ocsp-for-pkinit-06.txt 
NETWORK WORKING GROUP L. Zhu NETWORK WORKING GROUP L. Zhu
Internet-Draft K. Jaganathan Internet-Draft K. Jaganathan
Expires: November 21, 2005 Microsoft Corporation Expires: January 20, 2006 Microsoft Corporation
N. Williams N. Williams
Sun Microsystems Sun Microsystems
May 20, 2005 July 19, 2005
OCSP Support for PKINIT OCSP Support for PKINIT
draft-ietf-krb-wg-ocsp-for-pkinit-05 draft-ietf-krb-wg-ocsp-for-pkinit-06
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions By submitting this Internet-Draft, each author represents that any
of Section 3 of RFC 3667. applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
By submitting this Internet-Draft, each author represents aware will be disclosed, in accordance with Section 6 of BCP 79.
that any applicable patent or other IPR claims of which he
or she is aware have been or will be disclosed, and any of
which he or she becomes aware will be disclosed, in
accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 21, 2005. This Internet-Draft will expire on January 20, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines a mechanism to enable in-band transmission of This document defines a mechanism to enable in-band transmission of
Online Certificate Status Protocol (OCSP) responses in the Kerberos Online Certificate Status Protocol (OCSP) responses in the Kerberos
network authentication protocol. These responses are used to verify network authentication protocol. These responses are used to verify
skipping to change at page 3, line 16 skipping to change at page 3, line 16
Online Certificate Status Protocol (OCSP) [RFC2560] enables Online Certificate Status Protocol (OCSP) [RFC2560] enables
applications to obtain timely information regarding the revocation applications to obtain timely information regarding the revocation
status of a certificate. Because OCSP responses are well-bounded and status of a certificate. Because OCSP responses are well-bounded and
small in size, constrained clients may wish to use OCSP to check the small in size, constrained clients may wish to use OCSP to check the
validity of the certificates for Kerberos Key Distribution Center validity of the certificates for Kerberos Key Distribution Center
(KDC) in order to avoid transmission of large Certificate Revocation (KDC) in order to avoid transmission of large Certificate Revocation
Lists (CRLs) and therefore save bandwidth on constrained networks Lists (CRLs) and therefore save bandwidth on constrained networks
[OCSP-PROFILE]. [OCSP-PROFILE].
This document defines a pre-authentication type [CLARIFICATIONS], This document defines a pre-authentication type [RFC4120], where the
where the client and the KDC MAY piggyback OCSP responses for client and the KDC MAY piggyback OCSP responses for certificates used
certificates used in authentication exchanges, as defined in in authentication exchanges, as defined in [PKINIT].
[PKINIT].
By using this OPTIONAL extension, PKINIT clients and the KDC can By using this OPTIONAL extension, PKINIT clients and the KDC can
maximize the reuse of cached OCSP responses. maximize the reuse of cached OCSP responses.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Message Definition 3. Message Definition
A pre-authentication type identifier is defined for this mechanism: A pre-authentication type identifier is defined for this mechanism:
PA-PK-OCSP-RESPONSE 18 PA-PK-OCSP-RESPONSE 18
The corresponding padata-value field [CLARIFICATIONS] contains the The corresponding padata-value field [RFC4120] contains the DER [X60]
DER [X60] encoding of the following ASN.1 type: encoding of the following ASN.1 type:
PKOcspData ::= SEQUENCE OF OcspResponse PKOcspData ::= SEQUENCE OF OcspResponse
-- If more than one OcspResponse is -- If more than one OcspResponse is
-- included, the first OcspResponse -- included, the first OcspResponse
-- MUST contain the OCSP response -- MUST contain the OCSP response
-- for the signer's certificate. -- for the signer's certificate.
-- The signer refers to the client for
-- AS-REQ, and the KDC for the AS-REP,
-- respectively.
OcspResponse ::= OCTET STRING OcspResponse ::= OCTET STRING
-- Contains a complete OCSP response, -- Contains a complete OCSP response,
-- as defined in [RFC2560]. -- as defined in [RFC2560].
The client MAY send OCSP responses for certificates used in PA-PK-AS- The client MAY send OCSP responses for certificates used in PA-PK-AS-
REQ [PKINIT] via a PA-PK-OCSP-RESPONSE. REQ [PKINIT] via a PA-PK-OCSP-RESPONSE.
The KDC that receives a PA-PK-OCSP-RESPONSE then SHOULD send a PA-PK- The KDC that receives a PA-PK-OCSP-RESPONSE then SHOULD send a PA-PK-
OCSP-RESPONSE containing OCSP responses for certificates used in the OCSP-RESPONSE containing OCSP responses for certificates used in the
skipping to change at page 5, line 20 skipping to change at page 5, line 21
6. Acknowledgements 6. Acknowledgements
This document was based on conversations among the authors, Jeffrey This document was based on conversations among the authors, Jeffrey
Altman, Sam Hartman, Martin Rex and other members of the Kerberos Altman, Sam Hartman, Martin Rex and other members of the Kerberos
working group. working group.
7. References 7. References
7.1 Normative References 7.1 Normative References
[CLARIFICATIONS]
RFC-Editor: To be replaced by RFC number for draft-ietf-
krb-wg-kerberos-clarifications. Work in Progress.
[PKINIT] RFC-Editor: To be replaced by RFC number for draft-ietf- [PKINIT] RFC-Editor: To be replaced by RFC number for draft-ietf-
cat-kerberos-pk-init. Work in Progress. cat-kerberos-pk-init. Work in Progress.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C. [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
Adams, "X.509 Internet Public Key Infrastructure Online Adams, "X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP", RFC 2560, June 1999. Certificate Status Protocol - OCSP", RFC 2560, June 1999.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
[X690] ASN.1 encoding rules: Specification of Basic Encoding [X690] ASN.1 encoding rules: Specification of Basic Encoding
Rules (BER), Canonical Encoding Rules (CER) and Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER), ITU-T Recommendation Distinguished Encoding Rules (DER), ITU-T Recommendation
X.690 (1997) | ISO/IEC International Standard 8825-1:1998. X.690 (1997) | ISO/IEC International Standard 8825-1:1998.
7.2 Informative References 7.2 Informative References
[OCSP-PROFILE] [OCSP-PROFILE]
RFC-Editor: To be replaced by RFC number for draft-deacon- RFC-Editor: To be replaced by RFC number for draft-deacon-
lightweight-ocsp-profile. Work in Progress. lightweight-ocsp-profile. Work in Progress.
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/