Securely Available Credentials (SACRED) - Credential Server Framework
RFC 3760

Versions
07


Document	Type	RFC - Informational (April 2004; No errata) Was draft-ietf-sacred-framework (sacred WG)
	Last updated	2015-10-14
	Stream	IETF
	Formats	plain text pdf html bibtex
Stream	WG state	(None)
	Document shepherd	No shepherd assigned
IESG	IESG state	RFC 3760 (Informational)
	Consensus Boilerplate	Unknown
	Telechat date
	Responsible AD	Steven Bellovin
	Send notices to	(None)

Email authors IPR References Referenced by Nits

Network Working Group                                       D. Gustafson
Request for Comments: 3760                             Future Foundation
Category: Informational                                          M. Just
                                                Treasury Board of Canada
                                                              M. Nystrom
                                                            RSA Security
                                                              April 2004

 Securely Available Credentials (SACRED) - Credential Server Framework

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   As the number, and more particularly the number of different types,
   of devices connecting to the Internet increases, credential mobility
   becomes an issue for IETF standardization.  This document responds to
   the requirements on protocols for secure exchange of credentials
   listed in RFC 3157, by presenting an abstract protocol framework.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Functional Overview. . . . . . . . . . . . . . . . . . . . . .  2
       2.1.  Definitions. . . . . . . . . . . . . . . . . . . . . . .  2
       2.2.  Credentials. . . . . . . . . . . . . . . . . . . . . . .  4
       2.3.  Network Architecture . . . . . . . . . . . . . . . . . .  5
   3.  Protocol Framework . . . . . . . . . . . . . . . . . . . . . .  6
       3.1.  Credential Upload. . . . . . . . . . . . . . . . . . . .  8
       3.2.  Credential Download. . . . . . . . . . . . . . . . . . . 10
       3.3.  Credential Removal . . . . . . . . . . . . . . . . . . . 11
       3.4.  Credential Management. . . . . . . . . . . . . . . . . . 12
   4.  Protocol Considerations. . . . . . . . . . . . . . . . . . . . 12
       4.1.  Secure Credential Formats. . . . . . . . . . . . . . . . 12
       4.2.  Authentication Methods . . . . . . . . . . . . . . . . . 13
       4.3.  Transport Protocol Suites. . . . . . . . . . . . . . . . 16
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 17
       5.1.  Communications Security. . . . . . . . . . . . . . . . . 17
       5.2.  Systems Security . . . . . . . . . . . . . . . . . . . . 18

Gustafson, et al.            Informational                      [Page 1]
RFC 3760        Securely Available Credentials (SACRED)       April 2004

   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
       6.1.  Normative References . . . . . . . . . . . . . . . . . . 20
       6.2.  Informative References . . . . . . . . . . . . . . . . . 20
   7.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21
   8.  Full Copyright Statement . . . . . . . . . . . . . . . . . . . 22

1 Introduction

   Digital credentials, such as private keys and corresponding
   certificates, are used to support various Internet protocols, e.g.,
   S/MIME, IPSec, and TLS.  In a number of environments end users wish
   to use the same credentials on different end-user devices.  In a
   "typical" desktop environment, the user already has many tools
   available to allow import/export of these credentials.  However, this
   is not very practical.  In addition, with some devices, especially
   wireless and other more constrained devices, the tools required
   simply do not exist.

   This document proposes a general framework for secure exchange of
   such credentials and provides a high level outline that will help
   guide the development of one or more securely available credentials
   (SACRED) credential exchange protocols.

2.  Functional Overview

   Requirements for SACRED are fully described in [RFC3157].  These
   requirements assume that two distinctly different network
   architectures will be created to support credential exchange for
   roaming users:

   a) Client/Server Credential Exchange
   b) Peer-to-Peer Credential Exchange

   This document describes the framework for one or more client/server
   credential exchange protocols.

   In all cases, adequate user authentication methods will be used to
   ensure credentials are not divulged to unauthorized parties.  As
   well, adequate server authentication methods will be used to ensure
   that each client's authentication information (see Section 2.1) is
   not compromised, and to ensure that roaming users interact with
   intended/authorized credential servers.

2.1.  Definitions

   This section provides definitions for several terms or phrases used
   throughout this document.

Gustafson, et al.            Informational                      [Page 2]

Show full document text

Securely Available Credentials (SACRED) - Credential Server FrameworkRFC 3760

Securely Available Credentials (SACRED) - Credential Server Framework
RFC 3760