Kerberos Authorization Data Container Authenticated by Multiple Message Authentication Codes (MACs)
RFC 7751
| Document | Type |
RFC - Proposed Standard
(March 2016; No errata)
Updates RFC 4120
|
|
|---|---|---|---|
| Last updated | 2016-03-03 | ||
| Replaces | draft-ietf-krb-wg-cammac | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Benjamin Kaduk | ||
| Shepherd write-up | Show (last changed 2015-11-18) | ||
| IESG | IESG state | RFC 7751 (Proposed Standard) | |
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Stephen Farrell | ||
| Send notices to | (None) | ||
| IANA | IANA review state | IANA OK - No Actions Needed | |
| IANA action state | No IANA Actions | ||
Internet Engineering Task Force (IETF) S. Sorce
Request for Comments: 7751 Red Hat
Updates: 4120 T. Yu
Category: Standards Track MIT
ISSN: 2070-1721 March 2016
Kerberos Authorization Data Container Authenticated by Multiple
Message Authentication Codes (MACs)
Abstract
This document specifies a Kerberos authorization data container that
supersedes AD-KDC-ISSUED. It allows for multiple Message
Authentication Codes (MACs) or signatures to authenticate the
contained authorization data elements. The multiple MACs are needed
to mitigate shortcomings in the existing AD-KDC-ISSUED container.
This document updates RFC 4120.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7751.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Sorce & Yu Standards Track [Page 1]
RFC 7751 Container Authenticated by Multiple MACs March 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2
3. Motivations . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6. Assigned Numbers . . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
This document specifies a new authorization data container for
Kerberos, called the CAMMAC (Container Authenticated by Multiple
MACs). The Abstract Syntax Notation One (ASN.1) type implementing
the CAMMAC concept is the AD-CAMMAC, which supersedes the AD-KDC-
ISSUED authorization data type specified in [RFC4120]. This new
container allows both the receiving application service and the Key
Distribution Center (KDC) itself to verify the authenticity of the
contained authorization data. The AD-CAMMAC container can also
include additional verifiers that "trusted services" can use to
verify the contained authorization data.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Motivations
The Kerberos protocol allows clients to submit arbitrary
authorization data for a KDC to insert into a Kerberos ticket. These
client-requested authorization data allow the client to express
authorization restrictions that the application service will
interpret. With few exceptions, the KDC can safely copy these
client-requested authorization data to the issued ticket without
necessarily inspecting, interpreting, or filtering their contents.
The AD-KDC-ISSUED authorization data container specified in RFC 4120
[RFC4120] is a means for KDCs to include positive or permissive
(rather than restrictive) authorization data in service tickets in a
way that the service named in a ticket can verify that the KDC has
Sorce & Yu Standards Track [Page 2]
RFC 7751 Container Authenticated by Multiple MACs March 2016
Show full document text