datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

kx509 Kerberized Certificate Issuance Protocol in Use in 2012
RFC 6717

Document type: RFC - Informational (August 2012)
Was draft-hotz-kx509 (individual)
Document stream: ISE
Last updated: 2013-02-12
Other versions: plain text, pdf, html

ISE State: (None)
Document shepherd: No shepherd assigned

IESG State: RFC 6717 (Informational)
Responsible AD: Stephen Farrell
Send notices to: hotz@jpl.nasa.gov, rra@stanford.edu, draft-hotz-kx509@tools.ietf.org

Independent Submission                                           H. Hotz
Request for Comments: 6717                   Jet Propulsion Lab, Caltech
Category: Informational                                       R. Allbery
ISSN: 2070-1721                                      Stanford University
                                                             August 2012

     kx509 Kerberized Certificate Issuance Protocol in Use in 2012

Abstract

   This document describes a protocol, called kx509, for using Kerberos
   tickets to acquire X.509 certificates.  These certificates may be
   used for many of the same purposes as X.509 certificates acquired by
   other means, but if a Kerberos infrastructure already exists, then
   the overhead of using kx509 may be much less.

   While not standardized, this protocol is already in use at several
   large organizations, and certificates issued with this protocol are
   recognized by the International Grid Trust Federation.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6717.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Hotz & Allbery                Informational                     [Page 1]
RFC 6717                          kx509                      August 2012

Table of Contents

   1. Introduction ....................................................2
      1.1. Requirements Language ......................................3
   2. Protocol Data ...................................................3
     2.1.  Request Packet .............................................3
     2.2.  Reply Packet ...............................................4
   3. Protocol Operation ..............................................7
   4. Acknowledgements ................................................8
   5. IANA Considerations .............................................8
   6. Security Considerations .........................................9
   7. References .....................................................10
      7.1. Normative References ......................................10
      7.2. Informative References ....................................10
   Appendix A.  Certificate Caching and Deployment Considerations ....12
   Appendix B.  Historic Extensions ..................................12
   Appendix C.  Example Exchange .....................................12

1.  Introduction

   The two primary ways of providing cryptographically secure
   identification on the Internet are Kerberos tickets [RFC4120] and
   X.509 [RFC5280] [X.509] certificates.

   In practical IT infrastructure where both are in use, it's highly
   desirable to deploy their support in a way that guarantees they both
   authoritatively refer to the same entities.  There is already a
   widely adopted standard for using X.509 certificates to acquire
   corresponding Kerberos tickets called Public Key Cryptography for
   Initial Authentication in Kerberos (PKINIT) [RFC4556].  This document
   describes the kx509 protocol for supporting the symmetric operation
   of acquiring X.509 certificates using Kerberos tickets.

   Preparing and reviewing this document exposed a number of issues that
   are discussed in the security considerations.  Unfortunately, some of
   them can only be addressed with an incompatible upgrade to this
   protocol.  The IETF's Kerberos working group has an expected work
   item to address these issues.

   The International Grid Trust Federation [IGTF] supports the use of
   Short Lived Credential Services [SLCS] as a means to authenticate for
   resource usage based on other, native identity stores that an
   organization maintains.  X.509 certificates issued using the kx509
   protocol based on a Kerberos identity is one of the recognized
   credential services.  The certificate profile for that use is outside

[include full document text]