datatracker.ietf.org
Sign in
Version 5.6.2.p5, 2014-08-04
Report a bug

Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
RFC 4557

Document type: RFC - Proposed Standard (June 2006; Errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4557 (Proposed Standard)
Responsible AD: Sam Hartman
Send notices to: jhutz@cmu.edu, lzhu@windows.microsoft.com

Network Working Group                                             L. Zhu
Request for Comments: 4557                                 K. Jaganathan
Category: Standards Track                          Microsoft Corporation
                                                             N. Williams
                                                        Sun Microsystems
                                                               June 2006

         Online Certificate Status Protocol (OCSP) Support for
                      Public Key Cryptography for
              Initial Authentication in Kerberos (PKINIT)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document defines a mechanism to enable in-band transmission of
   Online Certificate Status Protocol (OCSP) responses in the Kerberos
   network authentication protocol.  These responses are used to verify
   the validity of the certificates used in Public Key Cryptography for
   Initial Authentication in Kerberos (PKINIT), which is the Kerberos
   Version 5 extension that provides for the use of public key
   cryptography.

Table of Contents

   1. Introduction ....................................................2
   2. Conventions Used in This Document ...............................2
   3. Message Definition ..............................................2
   4. Security Considerations .........................................3
   5. Acknowledgements ................................................4
   6. References ......................................................4
      6.1. Normative References .......................................4
      6.2. Informative References .....................................4

Zhu, et al.                 Standards Track                     [Page 1]
RFC 4557                OCSP Support for PKINIT                June 2006

1.  Introduction

   Online Certificate Status Protocol (OCSP) [RFC2560] enables
   applications to obtain timely information regarding the revocation
   status of a certificate.  Because OCSP responses are well bounded and
   small in size, constrained clients may wish to use OCSP to check the
   validity of the certificates for Kerberos Key Distribution Center
   (KDC) in order to avoid transmission of large Certificate Revocation
   Lists (CRLs) and therefore save bandwidth on constrained networks
   [OCSP-PROFILE].

   This document defines a pre-authentication type [RFC4120], where the
   client and the KDC MAY piggyback OCSP responses for certificates used
   in authentication exchanges, as defined in [RFC4556].

   By using this OPTIONAL extension, PKINIT clients and the KDC can
   maximize the reuse of cached OCSP responses.

2.  Conventions Used in This Document

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
   and "OPTIONAL" are to be interpreted as described in [RFC2119].

3.  Message Definition

   A pre-authentication type identifier is defined for this mechanism:

              PA-PK-OCSP-RESPONSE              18

   The corresponding padata-value field [RFC4120] contains the DER [X60]
   encoding of the following ASN.1 type:

          PKOcspData ::= SEQUENCE OF OcspResponse
                         -- If more than one OcspResponse is
                         -- included, the first OcspResponse
                         -- MUST contain the OCSP response
                         -- for the signer's certificate.
                         -- The signer refers to the client for
                         -- AS-REQ, and the KDC for the AS-REP,
                         -- respectively.

          OcspResponse ::= OCTET STRING
                         -- Contains a complete OCSP response,
                         -- as defined in [RFC2560].

   The client MAY send OCSP responses for certificates used in PA-PK-
   AS-REQ [RFC4556] via a PA-PK-OCSP-RESPONSE.

Zhu, et al.                 Standards Track                     [Page 2]
RFC 4557                OCSP Support for PKINIT                June 2006

   The KDC that receives a PA-PK-OCSP-RESPONSE SHOULD send a PA-PK-
   OCSP-RESPONSE containing OCSP responses for certificates used in the

[include full document text]