InternetWide Identities with Realm Crossover
draft-vanrein-internetwide-realm-crossover-00

Document Type Active Internet-Draft (individual)
Author Rick van Rein 
Last updated 2020-09-28
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        R. Van Rein
Internet-Draft                                          InternetWide.org
Intended status: Standards Track                      September 28, 2020
Expires: April 1, 2021

              InternetWide Identities with Realm Crossover
             draft-vanrein-internetwide-realm-crossover-00

Abstract

   Domains and domain user identities are available in many protocols,
   and can be expressed as part of the URI grammar.  This document
   outlines how clients can bring their self-controlled identities over
   when crossing over to foreign realms that rely on authenticated user
   identities.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 1, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Van Rein                  Expires April 1, 2021                 [Page 1]
Internet-Draft        InternetWide Realm Crossover        September 2020

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Bring Your Own IDentity as a Usage Pattern  . . . . . . . . .   3
   3.  Grammar of Identities . . . . . . . . . . . . . . . . . . . .   4
   4.  Example Use Cases . . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Example of a Local Identity Grammar . . . . . . . . . . .   5
     4.2.  Example Targets for Access Control  . . . . . . . . . . .   6
     4.3.  Example Regimen for Access Control  . . . . . . . . . . .   7
   5.  Realm Crossover Techniques  . . . . . . . . . . . . . . . . .   9
     5.1.  Realm Crossover for Kerberos  . . . . . . . . . . . . . .   9
     5.2.  Realm Crossover for SASL  . . . . . . . . . . . . . . . .  10
     5.3.  Realm Crossover for PKIX  . . . . . . . . . . . . . . . .  12
   6.  New Application Protocols . . . . . . . . . . . . . . . . . .  13
     6.1.  Remote PKCS #11 . . . . . . . . . . . . . . . . . . . . .  13
     6.2.  Keyful Identity Protocol  . . . . . . . . . . . . . . . .  13
     6.3.  Helm Access (from Arbitrary Nodes)  . . . . . . . . . . .  14
     6.4.  InternetWide Roaming  . . . . . . . . . . . . . . . . . .  16
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .  17
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  19

1.  Introduction

   Many protocols identify clients and servers through a domain name or
   a user at a domain name.  Domain names follow the stepwise delegation
   of authority that is engrained in DNS, and an added username is
   generally considered a further refinement that falls under the
   authority of the named domain.

   URI grammar mirrors this idea in its authority section.  Some
   additional information is present to facilitate resource location
   beyond an identity; these involve the scheme and an optional port,
   and for some schemes there may be a host name as a mild
   overspecification for a domain.

   InternetWide Identity, as introduced herein, allows domain.name and
   user@domain.name identity forms across protocols, and when included
   in a URI it treats any path, query part, port, URI scheme and host-
   instead-of-a-domain as information beyond the abstraction level of
   interest to identity.  In other words, variable paths, host names,
   ports and service protocols can occur in URIs that represent the same
   identity.

   InternetWide Identities are domain-scoped and intended for use in
   foreign servers that may reside in the client's domain or any other
   domain.  We informally refer to this idea as "Bring Your Own IDentity
   (BYOID)" and to the technology facilitating it as "Realm Crossover"
   for domain.name and user@domain.name identities.

Van Rein                  Expires April 1, 2021                 [Page 2]
Show full document text