Securely Available Credentials (SACRED) - Credential Server Framework
RFC 3760
Document | Type | RFC - Informational (April 2004; No errata) | |
---|---|---|---|
Authors | Dale Gustafson , Mike Just , Magnus Nystrom | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3760 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Steven Bellovin | ||
Send notices to | (None) |
Network Working Group D. Gustafson Request for Comments: 3760 Future Foundation Category: Informational M. Just Treasury Board of Canada M. Nystrom RSA Security April 2004 Securely Available Credentials (SACRED) - Credential Server Framework Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract As the number, and more particularly the number of different types, of devices connecting to the Internet increases, credential mobility becomes an issue for IETF standardization. This document responds to the requirements on protocols for secure exchange of credentials listed in RFC 3157, by presenting an abstract protocol framework. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Functional Overview. . . . . . . . . . . . . . . . . . . . . . 2 2.1. Definitions. . . . . . . . . . . . . . . . . . . . . . . 2 2.2. Credentials. . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Network Architecture . . . . . . . . . . . . . . . . . . 5 3. Protocol Framework . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Credential Upload. . . . . . . . . . . . . . . . . . . . 8 3.2. Credential Download. . . . . . . . . . . . . . . . . . . 10 3.3. Credential Removal . . . . . . . . . . . . . . . . . . . 11 3.4. Credential Management. . . . . . . . . . . . . . . . . . 12 4. Protocol Considerations. . . . . . . . . . . . . . . . . . . . 12 4.1. Secure Credential Formats. . . . . . . . . . . . . . . . 12 4.2. Authentication Methods . . . . . . . . . . . . . . . . . 13 4.3. Transport Protocol Suites. . . . . . . . . . . . . . . . 16 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 17 5.1. Communications Security. . . . . . . . . . . . . . . . . 17 5.2. Systems Security . . . . . . . . . . . . . . . . . . . . 18 Gustafson, et al. Informational [Page 1] RFC 3760 Securely Available Credentials (SACRED) April 2004 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6.1. Normative References . . . . . . . . . . . . . . . . . . 20 6.2. Informative References . . . . . . . . . . . . . . . . . 20 7. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21 8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 22 1 Introduction Digital credentials, such as private keys and corresponding certificates, are used to support various Internet protocols, e.g., S/MIME, IPSec, and TLS. In a number of environments end users wish to use the same credentials on different end-user devices. In a "typical" desktop environment, the user already has many tools available to allow import/export of these credentials. However, this is not very practical. In addition, with some devices, especially wireless and other more constrained devices, the tools required simply do not exist. This document proposes a general framework for secure exchange of such credentials and provides a high level outline that will help guide the development of one or more securely available credentials (SACRED) credential exchange protocols. 2. Functional Overview Requirements for SACRED are fully described in [RFC3157]. These requirements assume that two distinctly different network architectures will be created to support credential exchange for roaming users: a) Client/Server Credential Exchange b) Peer-to-Peer Credential Exchange This document describes the framework for one or more client/server credential exchange protocols. In all cases, adequate user authentication methods will be used to ensure credentials are not divulged to unauthorized parties. As well, adequate server authentication methods will be used to ensure that each client's authentication information (see Section 2.1) is not compromised, and to ensure that roaming users interact with intended/authorized credential servers. 2.1. Definitions This section provides definitions for several terms or phrases used throughout this document. Gustafson, et al. Informational [Page 2] RFC 3760 Securely Available Credentials (SACRED) April 2004 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",Show full document text