Kerberos Authorization Data Container Authenticated by Multiple MACs
draft-ietf-kitten-cammac-02

The information below is for an old version of the document
Document Type Active Internet-Draft (kitten WG)
Last updated 2015-03-09
Replaces draft-ietf-krb-wg-cammac
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf html bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Benjamin Kaduk
Shepherd write-up Show (last changed 2014-11-17)
IESG IESG state RFC Ed Queue
Consensus Boilerplate Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to kitten-chairs@ietf.org, kaduk@mit.edu
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
RFC Editor RFC Editor state IESG
Internet Engineering Task Force                            S. Sorce, Ed.
Internet-Draft                                                   Red Hat
Updates: 4120 (if approved)                                   T. Yu, Ed.
Intended status: Standards Track                        T. Hardjono, Ed.
Expires: September 10, 2015                      MIT Kerberos Consortium
                                                           March 9, 2015

  Kerberos Authorization Data Container Authenticated by Multiple MACs
                      draft-ietf-kitten-cammac-02

Abstract

   This document specifies a Kerberos Authorization Data container that
   supersedes AD-KDC-ISSUED.  It allows for multiple Message
   Authentication Codes (MACs) or signatures to authenticate the
   contained Authorization Data elements.  The multiple MACs are needed
   to mitigate shortcomings in the existing AD-KDC-ISSUED container.
   This document updates RFC 4120.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 10, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Sorce, et al.          Expires September 10, 2015               [Page 1]
Internet-Draft  Container Authenticated by Multiple MACs      March 2015

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   2
   3.  Motivations . . . . . . . . . . . . . . . . . . . . . . . . .   2
   4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   6.  Assigned numbers  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     10.2.  Informative References . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   This document specifies a new Authorization Data container for
   Kerberos, called the CAMMAC (Container Authenticated by Multiple
   MACs).  The ASN.1 type implementing the CAMMAC concept is the AD-
   CAMMAC, which supersedes the AD-KDC-ISSUED Authorization Data type
   specified in [RFC4120].  This new container allows both the receiving
   application service and the Key Distribution Center (KDC) itself to
   verify the authenticity of the contained authorization data.  The AD-
   CAMMAC container can also include additional verifiers that "trusted
   services" can use to verify the contained authorization data.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Motivations

   The Kerberos protocol allows clients to submit arbitrary
   authorization data for a KDC to insert into a Kerberos ticket.  These
   client-requested authorization data allow the client to express
   authorization restrictions that the application service will
   interpret.  With few exceptions, the KDC can safely copy these
   client-requested authorization data to the issued ticket without
   necessarily inspecting, interpreting, or filtering their contents.

Sorce, et al.          Expires September 10, 2015               [Page 2]
Internet-Draft  Container Authenticated by Multiple MACs      March 2015
Show full document text