Securely Available Credentials (SACRED) - Credential Server Framework
RFC 3760
Document Type RFC - Informational (April 2004; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3760 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                       D. Gustafson
Request for Comments: 3760                             Future Foundation
Category: Informational                                          M. Just
                                                Treasury Board of Canada
                                                              M. Nystrom
                                                            RSA Security
                                                              April 2004

 Securely Available Credentials (SACRED) - Credential Server Framework

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   As the number, and more particularly the number of different types,
   of devices connecting to the Internet increases, credential mobility
   becomes an issue for IETF standardization.  This document responds to
   the requirements on protocols for secure exchange of credentials
   listed in RFC 3157, by presenting an abstract protocol framework.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Functional Overview. . . . . . . . . . . . . . . . . . . . . .  2
       2.1.  Definitions. . . . . . . . . . . . . . . . . . . . . . .  2
       2.2.  Credentials. . . . . . . . . . . . . . . . . . . . . . .  4
       2.3.  Network Architecture . . . . . . . . . . . . . . . . . .  5
   3.  Protocol Framework . . . . . . . . . . . . . . . . . . . . . .  6
       3.1.  Credential Upload. . . . . . . . . . . . . . . . . . . .  8
       3.2.  Credential Download. . . . . . . . . . . . . . . . . . . 10
       3.3.  Credential Removal . . . . . . . . . . . . . . . . . . . 11
       3.4.  Credential Management. . . . . . . . . . . . . . . . . . 12
   4.  Protocol Considerations. . . . . . . . . . . . . . . . . . . . 12
       4.1.  Secure Credential Formats. . . . . . . . . . . . . . . . 12
       4.2.  Authentication Methods . . . . . . . . . . . . . . . . . 13
       4.3.  Transport Protocol Suites. . . . . . . . . . . . . . . . 16
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 17
       5.1.  Communications Security. . . . . . . . . . . . . . . . . 17
       5.2.  Systems Security . . . . . . . . . . . . . . . . . . . . 18

Gustafson, et al.            Informational                      [Page 1]
RFC 3760        Securely Available Credentials (SACRED)       April 2004

   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
       6.1.  Normative References . . . . . . . . . . . . . . . . . . 20
       6.2.  Informative References . . . . . . . . . . . . . . . . . 20
   7.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21
   8.  Full Copyright Statement . . . . . . . . . . . . . . . . . . . 22

1 Introduction

   Digital credentials, such as private keys and corresponding
   certificates, are used to support various Internet protocols, e.g.,
   S/MIME, IPSec, and TLS.  In a number of environments end users wish
   to use the same credentials on different end-user devices.  In a
   "typical" desktop environment, the user already has many tools
   available to allow import/export of these credentials.  However, this
   is not very practical.  In addition, with some devices, especially
   wireless and other more constrained devices, the tools required
   simply do not exist.

   This document proposes a general framework for secure exchange of
   such credentials and provides a high level outline that will help
   guide the development of one or more securely available credentials
   (SACRED) credential exchange protocols.

2.  Functional Overview

   Requirements for SACRED are fully described in [RFC3157].  These
   requirements assume that two distinctly different network
   architectures will be created to support credential exchange for
   roaming users:

   a) Client/Server Credential Exchange
   b) Peer-to-Peer Credential Exchange

   This document describes the framework for one or more client/server
   credential exchange protocols.

   In all cases, adequate user authentication methods will be used to
   ensure credentials are not divulged to unauthorized parties.  As
   well, adequate server authentication methods will be used to ensure
   that each client's authentication information (see Section 2.1) is
   not compromised, and to ensure that roaming users interact with
   intended/authorized credential servers.

2.1.  Definitions

   This section provides definitions for several terms or phrases used
   throughout this document.

Gustafson, et al.            Informational                      [Page 2]
RFC 3760        Securely Available Credentials (SACRED)       April 2004

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools