| blob | 1cd9f4a9377e975d6ac9b29c731f1da051742b71 |
3 Network Working Group Johansson
4 Internet-Draft Stockholm university
5 Expires: April 8, 2004 October 9, 2003
8 An information model for Kerberos version 5
9 draft-johansson-kerberos-model-00
11 Status of this Memo
13 This document is an Internet-Draft and is in full conformance with
14 all provisions of Section 10 of RFC2026.
16 Internet-Drafts are working documents of the Internet Engineering
17 Task Force (IETF), its areas, and its working groups. Note that other
18 groups may also distribute working documents as Internet-Drafts.
20 Internet-Drafts are draft documents valid for a maximum of six months
21 and may be updated, replaced, or obsoleted by other documents at any
22 time. It is inappropriate to use Internet-Drafts as reference
23 material or to cite them other than as "work in progress."
25 The list of current Internet-Drafts can be accessed at http://
26 www.ietf.org/ietf/1id-abstracts.txt.
28 The list of Internet-Draft Shadow Directories can be accessed at
29 http://www.ietf.org/shadow.html.
31 This Internet-Draft will expire on April 8, 2004.
33 Copyright Notice
35 Copyright (C) The Internet Society (2003). All Rights Reserved.
37 Abstract
39 This document describes an information model for Kerberos version 5
40 from the point of view of an administrative service. There is no
41 standard for administrating a kerberos 5 KDC. This document describes
42 the services exposed by an administrative interface to a KDC.
55 Johansson Expires April 8, 2004 [Page 1]
56 \f
57 Internet-Draft An information model for Kerberos version 5 October 2003
60 Table of Contents
62 1. Requirements notation . . . . . . . . . . . . . . . . . . . 3
63 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4
64 3. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 5
65 4. Information model . . . . . . . . . . . . . . . . . . . . . 6
66 4.1 Principal . . . . . . . . . . . . . . . . . . . . . . . . . 6
67 4.1.1 Principal: Attributes . . . . . . . . . . . . . . . . . . . 6
68 4.1.2 Principal: Associations . . . . . . . . . . . . . . . . . . 6
69 4.1.3 Principal: Remarks . . . . . . . . . . . . . . . . . . . . . 6
70 4.2 KeySet . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
71 4.2.1 KeySet: Attributes . . . . . . . . . . . . . . . . . . . . . 7
72 4.2.2 KeySet: Associations . . . . . . . . . . . . . . . . . . . . 7
73 4.2.3 KeySet: Remarks . . . . . . . . . . . . . . . . . . . . . . 7
74 4.3 Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
75 4.3.1 Key: Attributes . . . . . . . . . . . . . . . . . . . . . . 7
76 4.3.2 Key: Associations . . . . . . . . . . . . . . . . . . . . . 8
77 4.3.3 Key: Remarks . . . . . . . . . . . . . . . . . . . . . . . . 8
78 4.4 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
79 4.4.1 Policy: Attributes . . . . . . . . . . . . . . . . . . . . . 8
80 4.4.2 Password Quality Policy . . . . . . . . . . . . . . . . . . 9
81 4.4.3 Password Management Policy . . . . . . . . . . . . . . . . . 9
82 4.4.4 Keying Policy . . . . . . . . . . . . . . . . . . . . . . . 9
83 5. Implementation Scenarios . . . . . . . . . . . . . . . . . . 10
84 5.1 LDAP backend to KDC . . . . . . . . . . . . . . . . . . . . 10
85 5.2 LDAP frontend to KDC . . . . . . . . . . . . . . . . . . . . 10
86 5.3 SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
87 6. Security Considerations . . . . . . . . . . . . . . . . . . 11
88 7. Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . 12
89 References . . . . . . . . . . . . . . . . . . . . . . . . . 13
90 Author's Address . . . . . . . . . . . . . . . . . . . . . . 13
91 Intellectual Property and Copyright Statements . . . . . . . 14
111 Johansson Expires April 8, 2004 [Page 2]
112 \f
113 Internet-Draft An information model for Kerberos version 5 October 2003
116 1. Requirements notation
118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120 document are to be interpreted as described in [RFC2119].
167 Johansson Expires April 8, 2004 [Page 3]
168 \f
169 Internet-Draft An information model for Kerberos version 5 October 2003
172 2. Motivation
174 The Kerberos version 5 authentication service described in [RFC1510]
175 describes how a Key Distribution Service (KDC) provides
176 authentication to clients. The standard does not stipulate how a KDC
177 is managed and several "kadmin" servers have evolved. This document
178 describes the services required to administrate a KDC and the
179 underlying information model assumed by a kadmin service.
181 The information model is written in terms of "attributes" and
182 "services" or "interfaces" but the use of these particular words MUST
183 NOT be taken to imply any particular modeling paradigm so that
184 neither an object oriented model or an LDAP schema is intended. The
185 author has attempted to describe in natural language the intended
186 semantics and syntax of the components of the model. An LDAP schema
187 (say) based on this model will be more precise in the expression of
188 the syntax while preserving the semantics of this model.
190 Implementations of this document MAY decide to change the names used
191 (eg principalName). If so an implementation MUST provide a name to
192 name mapping to this document.
223 Johansson Expires April 8, 2004 [Page 4]
224 \f
225 Internet-Draft An information model for Kerberos version 5 October 2003
228 3. Acknowledgments
230 Love H÷rnquist-Êstrand <lha@it.su.se> for important contributions.
279 Johansson Expires April 8, 2004 [Page 5]
280 \f
281 Internet-Draft An information model for Kerberos version 5 October 2003
284 4. Information model
286 4.1 Principal
288 The fundamental entity stored in a KDC is the principal. The
289 principal is associated to keys and generalizes the "user" concept.
291 4.1.1 Principal: Attributes
293 4.1.1.1 principalName
295 A principal MUST be uniquely identified withing the administrative
296 context of the KDC by the principalName. The type of the
297 principalName is not described in this document. It is a unique
298 identifier and can be viewed as an opaque which can be compared for
299 equality with.
301 4.1.1.2 principalNotUsedBefore
303 The principal may not be used before this date. The syntax of the
304 attribute MUST be semantically equivalent with ISO date format.
306 4.1.1.3 principalNotUsedAfter
308 The principal may not be used after this date. The syntax of the
309 attribute MUST be semantically equivalent to standard ISO date
310 format.
312 4.1.1.4 principalIsDisabled
314 A boolean attribute used to temporarily disable a principal.
316 4.1.1.5 principalAliases
318 This multivalued attribute contains a set of aliases for the
319 principal.
321 4.1.2 Principal: Associations
323 Each principal MUST be associated with exactly one KeySet and MAY be
324 associated with 1 or more Policies. The KeySet is represented as an
325 object in this model since it has attributes associated with it (the
326 key version number).
328 4.1.3 Principal: Remarks
330 Traditionally a principal consists of a local-part and a realm
331 denoted in string form by local-part@REALM. The realm concept is used
335 Johansson Expires April 8, 2004 [Page 6]
336 \f
337 Internet-Draft An information model for Kerberos version 5 October 2003
340 to provide administrative boundaries and together with cross-realm
341 authentication provides scalability to Kerberos 5. However the realm
342 is not central to an administrative information model. For instance
343 the initialization or creation of a realm is equivalent to creating a
344 specific set of principals (krbtgt@REALM, etc) which is covered by
345 the model and services described in this document. A realm is
346 typically associated with policy covering (for instance) keying and
347 password management. The management of such policy and their
348 association to realms is beyond the scope of this document.
350 4.2 KeySet
352 A KeySet is a set of keys associated with exactly one principal. This
353 object and the associated associations MAY be supported by
354 implementations. Implementations (eg and LDAP schema) MUST NOT
355 mandate the representation of keys. It is expected that most
356 implementations of this standard will use the set/change password
357 protocol for all aspects of key management
358 [I-D.ietf-krb-wg-kerberos-set-passwd]. This information model
359 includes these objects for completeness.
361 4.2.1 KeySet: Attributes
363 4.2.1.1 keySetVersionNumber
365 This is traditionally called the key version number (kvno).
367 4.2.2 KeySet: Associations
369 To each KeySet MUST be associated a set of 1 or more Keys.
371 4.2.3 KeySet: Remarks
373 The reason for separating the KeySet from the Principal is security.
374 The security of Kerberos 5 depends absolutely on the security of the
375 keys stored in the KDC. The KeySet type is provided to make this
376 clear and to make separation of keys from other parts of the model
377 clear.
379 Implementations of this standard (eg an LDAP schema) MUST preserve
380 this distinction.
382 4.3 Key
384 4.3.1 Key: Attributes
391 Johansson Expires April 8, 2004 [Page 7]
392 \f
393 Internet-Draft An information model for Kerberos version 5 October 2003
396 4.3.1.1 keyEncryptionType
398 TODO
400 4.3.1.2 keyValue
402 TODO
404 4.3.1.3 keySaltValue
406 TODO
408 4.3.1.4 keyStringToKeyParameter
410 The syntax of this opaque object is defined by the encryption type
411 used.
413 4.3.1.5 keyNotUsedAfter
415 This key MUST NOT be used after this date.
417 4.3.1.6 keyNotUsedBefore
419 This key MUST NOT be used before this date.
421 4.3.1.7 keyIsDisabled
423 If this attribute is true the key MUST NOT be used
425 4.3.2 Key: Associations
427 None
429 4.3.3 Key: Remarks
431 The security of the keys is a requirement for the operation of
432 Kerberos 5.
434 4.4 Policy
436 4.4.1 Policy: Attributes
438 4.4.1.1 policyIdentifier
440 The policyIdentifier MUST be unique within the local administrative
441 context and SHOULD be globally unique. It may be valuable to use a
442 mechanism for policy identification which is likely to be
443 representable in may possible implementations of this standard. A few
447 Johansson Expires April 8, 2004 [Page 8]
448 \f
449 Internet-Draft An information model for Kerberos version 5 October 2003
452 possibilities are
454 An Object Identifier (OID)
456 A URN
458 A UUID
461 4.4.1.2 policyIsMandatory
463 This attribute indicates that the KDC MUST be able to correctly
464 interpret and apply this policy for the key to be used.
466 4.4.1.3 policyContent
468 This is an optional opaque binary value used to store a
469 representation of the policy. In general a policy cannot be fully
470 expressed using attribute-value pairs. The attribute is optional in
471 the sense that an implementation MAY use it to store an opaque value
472 for those policy-types which are not representable in that
473 implementation. When used the attribute MUST be implemented as a
474 mandatory attribute if the implementation supports mandatory/optional
475 attributes.
477 4.4.2 Password Quality Policy
479 4.4.2.1 Password Quality Policy: Attributes
481 Password quality policy controls the requirements placed by the KDC
482 on new passwords. TODO: update with information from Nico
484 4.4.3 Password Management Policy
486 4.4.3.1 Password Management Policy: Attributes
488 Password management policy controls how passwords are changed. TODO:
489 update with information from Nico and Ludovic
491 4.4.4 Keying Policy
493 4.4.4.1 Keying Policy: Attributes
495 A keying policy specifies the association of enctypes with new
496 principals, i.e when a principal is created one of the possibly many
497 applicable keying policies determine the set of keys to associate
498 with the principal. In general the expression of a keying policy may
499 require a Touring-complete language.
503 Johansson Expires April 8, 2004 [Page 9]
504 \f
505 Internet-Draft An information model for Kerberos version 5 October 2003
508 5. Implementation Scenarios
510 There are several ways to implement an administrative service for
511 Kerberos 5 based on this information model. In this section we list a
512 few of them.
514 5.1 LDAP backend to KDC
516 Given an LDAP schema implementation of this information model it
517 would be possible to build an administrative service by backending
518 the KDC to a directory server where principals and keys are stored.
519 Using the security mechanisms available on the directory server keys
520 are protected from access by anyone apart from the KDC.
521 Administration of the principals, policy and other non-key data is
522 done through the directory server while the keys are modified using
523 the set/change password protocol
524 [I-D.ietf-krb-wg-kerberos-set-passwd].
526 5.2 LDAP frontend to KDC
528 An alternative way to provide a directory interface to the KDC is to
529 implement an LDAP-frontend to the KDC which exposes all non-key
530 objects as entries and attributes. As in the example above all keys
531 are modified using the set/change password protocol
532 [I-D.ietf-krb-wg-kerberos-set-passwd]. In this scenario the
533 implementation would typically not use a traditional LDAP
534 implementation but treat LDAP as an access-protocol to data in the
535 native KDC database.
537 5.3 SOAP
539 Given an XML schema implementation of this information model it would
540 be possible to build a SOAP-interface to the KDC. This demonstrates
541 the value of creating an abstract information model which is mappable
542 to multiple schema representations.
559 Johansson Expires April 8, 2004 [Page 10]
560 \f
561 Internet-Draft An information model for Kerberos version 5 October 2003
564 6. Security Considerations
566 This document describes an abstract information model for Kerberos 5.
567 The Kerberos 5 protocol depends on the security of the keys stored in
568 the KDC. The model described here assumes that keys MUST NOT be
569 transported in the clear over the network and furthermore that keys
570 are treated as write-only attributes that SHALL only be modified
571 (using the administrative interface) by the change-password protocol
572 [I-D.ietf-krb-wg-kerberos-set-passwd].
574 Exposing the object model of a KDC typically implies that objects can
575 be modified and/or deleted. In a KDC not all principals are created
576 equal, so that for instance deleting krbtgt/EXAMPLE.COM@EXAMPLE.COM
577 effectively disables the EXAMPLE.COM realm. Hence access control is
578 paramount to the security of any implementation. This document does
579 not (at the time of writing - leifj) mandate access control. This
580 only implies that access control is beyond the scope of the standard
581 information model, i.e that access control MAY NOT be accessible via
582 any protocol based on this model. If access control objects is
583 exposed via an extension to this model the presence of access control
584 may in itself provide points of attack by giving away information
585 about principals with elevated rights etc. etc.
615 Johansson Expires April 8, 2004 [Page 11]
616 \f
617 Internet-Draft An information model for Kerberos version 5 October 2003
620 7. Remarks
622 A few notes and TODOs:
624 Do we want to model access control? I have received a few notes on
625 that from Love. It will affect both the model and the security
626 considerations but It may be relevant. The catch is that most
627 implementations (SOAP, LDAP, etc) will have acl mechanisms
628 separate from the data which makes modeling acls difficult.
629 Perhaps there are certain aspects of access control which can be
630 modeled with relative ease - for instance the ability to make an
631 object immutable.
633 Need to specify how extensions to the model happens.
635 Comparison for equality is implied by specifying syntax, but what
636 about ordering? Do we need/want to compare objects/
637 attribute-values for order?
639 Explanatory text on a few of the basic attributes that doesn't
640 just repeat the section title.
642 Expand on the password policy types. Is the subdivision into
643 quality and management policies valid?
671 Johansson Expires April 8, 2004 [Page 12]
672 \f
673 Internet-Draft An information model for Kerberos version 5 October 2003
676 References
678 [I-D.ietf-krb-wg-kerberos-clarifications]
679 Neuman, C., "The Kerberos Network Authentication Service
680 (V5)", draft-ietf-krb-wg-kerberos-clarifications-04 (work
681 in progress), June 2003.
683 [I-D.ietf-krb-wg-kerberos-set-passwd]
684 Trostle, J., "Kerberos Set/Change Password: Version 2",
685 draft-ietf-krb-wg-kerberos-set-passwd-00 (work in
686 progress), May 2003.
688 [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network
689 Authentication Service (V5)", RFC 1510, September 1993.
691 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
692 Requirement Levels", BCP 14, RFC 2119, March 1997.
695 Author's Address
697 Leif Johansson
698 Stockholm university
699 Enheten f÷r IT och Media
700 Stockholm SE-106 91
702 EMail: leifj@it.su.se
703 URI: http://people.su.se/~leifj/
727 Johansson Expires April 8, 2004 [Page 13]
728 \f
729 Internet-Draft An information model for Kerberos version 5 October 2003
732 Intellectual Property Statement
734 The IETF takes no position regarding the validity or scope of any
735 intellectual property or other rights that might be claimed to
736 pertain to the implementation or use of the technology described in
737 this document or the extent to which any license under such rights
738 might or might not be available; neither does it represent that it
739 has made any effort to identify any such rights. Information on the
740 IETF's procedures with respect to rights in standards-track and
741 standards-related documentation can be found in BCP-11. Copies of
742 claims of rights made available for publication and any assurances of
743 licenses to be made available, or the result of an attempt made to
744 obtain a general license or permission for the use of such
745 proprietary rights by implementors or users of this specification can
746 be obtained from the IETF Secretariat.
748 The IETF invites any interested party to bring to its attention any
749 copyrights, patents or patent applications, or other proprietary
750 rights which may cover technology that may be required to practice
751 this standard. Please address the information to the IETF Executive
752 Director.
755 Full Copyright Statement
757 Copyright (C) The Internet Society (2003). All Rights Reserved.
759 This document and translations of it may be copied and furnished to
760 others, and derivative works that comment on or otherwise explain it
761 or assist in its implementation may be prepared, copied, published
762 and distributed, in whole or in part, without restriction of any
763 kind, provided that the above copyright notice and this paragraph are
764 included on all such copies and derivative works. However, this
765 document itself may not be modified in any way, such as by removing
766 the copyright notice or references to the Internet Society or other
767 Internet organizations, except as needed for the purpose of
768 developing Internet standards in which case the procedures for
769 copyrights defined in the Internet Standards process must be
770 followed, or as required to translate it into languages other than
771 English.
773 The limited permissions granted above are perpetual and will not be
774 revoked by the Internet Society or its successors or assignees.
776 This document and the information contained herein is provided on an
777 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
778 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
779 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
783 Johansson Expires April 8, 2004 [Page 14]
784 \f
785 Internet-Draft An information model for Kerberos version 5 October 2003
788 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
789 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
792 Acknowledgement
794 Funding for the RFC Editor function is currently provided by the
795 Internet Society.
839 Johansson Expires April 8, 2004 [Page 15]
840 \f