4 Network Working Group L. Hornquist Astrand
5 Internet-Draft Apple, Inc
6 Intended status: Standards Track August 13, 2008
7 Expires: February 14, 2009
10 Kerberos ticket extensions
11 draft-lha-krb-wg-ticket-extensions-00
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on February 14, 2009.
40 Copyright (C) The IETF Trust (2008).
55 Hornquist Astrand Expires February 14, 2009 [Page 1]
57 Internet-Draft Kerberos ticket extensions August 2008
62 The Kerberos protocol does not allow ticket extensions. This make it
63 harder to deploy features like referrals and PKCROSS.
65 Since the Kerberos protocol did not specified extensibility for the
66 Ticket structure and the current implementations are aware of the
67 contents of tickets, the extension protocol cannot simply extend the
68 Ticket ASN.1 structure. Instead, the extension data needs to be
69 hidden inside the ticket.
74 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3
75 2. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
76 3. How to request a new assignment for a ticket extension . . . . 6
77 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
78 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
79 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
80 7. Normative References . . . . . . . . . . . . . . . . . . . . . 10
81 Appendix A. Ticket-extensions ASN.1 Module . . . . . . . . . . . 11
82 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
83 Intellectual Property and Copyright Statements . . . . . . . . . . 13
111 Hornquist Astrand Expires February 14, 2009 [Page 2]
113 Internet-Draft Kerberos ticket extensions August 2008
116 1. Requirements Notation
118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120 document are to be interpreted as described in [RFC2119].
167 Hornquist Astrand Expires February 14, 2009 [Page 3]
169 Internet-Draft Kerberos ticket extensions August 2008
174 The ticket and enc-part as defined by [RFC4120] is defined as follow:
177 Ticket ::= [APPLICATION 1] SEQUENCE {
178 tkt-vno [0] INTEGER (5),
180 sname [2] PrincipalName,
181 enc-part [3] EncryptedData -- EncTicketPart
184 EncryptedData ::= SEQUENCE {
185 etype [0] Int32 -- EncryptionType --,
186 kvno [1] UInt32 OPTIONAL,
187 cipher [2] OCTET STRING -- ciphertext
192 This document uses the special encryption type etype-TBETicket to
193 signal that enc-part.cipher contains the DER-encoded TBETicket
194 structure, instead of an encrypted EncTicketPart.
198 etype-TBETicket INTEGER ::= 4711 -- TBA XXX --
200 krb5int32 ::= INTEGER (-2147483648..2147483647)
202 TBETicket ::= SEQUENCE {
203 etype [0] krb5int32 -- EncryptionType --,
204 cipher [1] OCTET STRING
205 extensions [2] SEQUENCE OF TicketExtension OPTIONAL
209 TicketExtension ::= SEQUENCE {
210 te-type [0] krb5int32,
211 te-data [1] OCTET STRING
212 te-csum [2] Checksum OPTIONAL
216 The content of cipher data and encryption type fields is moved inside
219 Negative ticket extensions types (te-type) is private extensions and
223 Hornquist Astrand Expires February 14, 2009 [Page 4]
225 Internet-Draft Kerberos ticket extensions August 2008
228 MUST only be used for experimentation.
230 The te-type field is specificing the type of the content in te-data.
231 Unknown te-types MUST be ignored both by the client and the server.
233 The te-csum field is optional for the type, when in use by type type
234 specifed in te-type, the key have to be specifed (usually the session
235 key of the ticket) and the key usage number.
237 The KDC MUST only return this extension in the AS-REQ if all other
238 KDCs for the same realm also supports this extension.
240 The KDC MUST only return this extension in the TGS-REQ to server the
241 KDC knows supports these extension. This includes both cross realm
242 tickets and service tickets.
244 The KDC MAY return extended tickets to servers supporting ticket
245 extensions even if the extended ticket does not contain any
279 Hornquist Astrand Expires February 14, 2009 [Page 5]
281 Internet-Draft Kerberos ticket extensions August 2008
284 3. How to request a new assignment for a ticket extension
286 When anyone is writing a internet-draft for which a new assignment
287 for te-type is needed/wanted under the ticket extension, then the
288 proper way to do so is as follows:
291 EXAMPLE-MODULE DEFINITIONS ::= BEGIN
293 krb5-ticket-extension-Name ::= INTEGER nnn
294 -- IANA: please assign nnn
295 -- RFC-Editor: replace nnn with IANA-assigned
296 -- number and remove this note
300 IANA: Don't do note above, its an example, remove this note RFC-
301 Editor: Don't do note above, its an example, remove this note IANA
302 will assign the number as part of the RFC publication process.
304 When reviewing the document, the reviewer should take sure to check
305 that if te-csum is used, the siging key and key usage is specifed.
335 Hornquist Astrand Expires February 14, 2009 [Page 6]
337 Internet-Draft Kerberos ticket extensions August 2008
340 4. Security Considerations
342 This document describes how to extend Kerberos tickets to include
343 additional data in the ticket. This does have a security
344 implications since the extension data in the TBETicket is only
345 optionally signed, not encrypted and is not replay protected. It is
346 up to the consumers of this interface to make sure its used safely.
391 Hornquist Astrand Expires February 14, 2009 [Page 7]
393 Internet-Draft Kerberos ticket extensions August 2008
398 Thanks to Leif Johansson, and Kamada Ken'ichi for reviewing the
399 document and provided suggestions for improvements.
447 Hornquist Astrand Expires February 14, 2009 [Page 8]
449 Internet-Draft Kerberos ticket extensions August 2008
452 6. IANA Considerations
454 There are currently no ticket extensions. Future ticket extensions
455 will be published at:
458 http://www.iana.org/assignments/NNNNNNNN
459 -- IANA: please name registry, proposal: krb5-ticket-extensions
462 IANA is requested to maintain this registry for future assignments.
463 New assignments can only be made via Specification Required as
464 described in [RFC2434].
466 IANA will assign the number as part of the RFC publication process.
503 Hornquist Astrand Expires February 14, 2009 [Page 9]
505 Internet-Draft Kerberos ticket extensions August 2008
508 7. Normative References
510 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
511 Requirement Levels", BCP 14, RFC 2119, March 1997.
513 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
514 IANA Considerations Section in RFCs", BCP 26, RFC 2434,
517 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
518 Kerberos Network Authentication Service (V5)", RFC 4120,
559 Hornquist Astrand Expires February 14, 2009 [Page 10]
561 Internet-Draft Kerberos ticket extensions August 2008
564 Appendix A. Ticket-extensions ASN.1 Module
568 KerberosV5-TicketExtensions {
569 iso(1) identified-organization(3) dod(6) internet(1)
570 security(5) kerberosV5(2) modules(4) ticket-extensions(TBA)
571 --- XXX who is the registerar for this number ?
572 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
575 -- as defined in RFC 4120
577 FROM KerberosV5Spec2 { iso(1) identified-organization(3)
578 dod(6) internet(1) security(5) kerberosV5(2)
579 modules(4) krb5spec2(2) }
582 etype-TBETicket INTEGER ::= 4711 -- XXX TBA --
584 TBETicket ::= SEQUENCE {
585 etype [0] Int32 -- EncryptionType --,
586 cipher [1] OCTET STRING
587 extensions [2] SEQUENCE OF TicketExtension OPTIONAL
590 TicketExtension ::= SEQUENCE {
591 te-type [0] krb5int32,
592 te-data [1] OCTET STRING
615 Hornquist Astrand Expires February 14, 2009 [Page 11]
617 Internet-Draft Kerberos ticket extensions August 2008
622 Love Hornquist Astrand
671 Hornquist Astrand Expires February 14, 2009 [Page 12]
673 Internet-Draft Kerberos ticket extensions August 2008
676 Full Copyright Statement
678 Copyright (C) The IETF Trust (2008).
680 This document is subject to the rights, licenses and restrictions
681 contained in BCP 78, and except as set forth therein, the authors
682 retain all their rights.
684 This document and the information contained herein are provided on an
685 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
686 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
687 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
688 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
689 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
690 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
693 Intellectual Property
695 The IETF takes no position regarding the validity or scope of any
696 Intellectual Property Rights or other rights that might be claimed to
697 pertain to the implementation or use of the technology described in
698 this document or the extent to which any license under such rights
699 might or might not be available; nor does it represent that it has
700 made any independent effort to identify any such rights. Information
701 on the procedures with respect to rights in RFC documents can be
702 found in BCP 78 and BCP 79.
704 Copies of IPR disclosures made to the IETF Secretariat and any
705 assurances of licenses to be made available, or the result of an
706 attempt made to obtain a general license or permission for the use of
707 such proprietary rights by implementers or users of this
708 specification can be obtained from the IETF on-line IPR repository at
709 http://www.ietf.org/ipr.
711 The IETF invites any interested party to bring to its attention any
712 copyrights, patents or patent applications, or other proprietary
713 rights that may cover technology that may be required to implement
714 this standard. Please address the information to the IETF at
720 Funding for the RFC Editor function is provided by the IETF
721 Administrative Support Activity (IASA).
727 Hornquist Astrand Expires February 14, 2009 [Page 13]