1 / 17

On Standardization of Kerberos Names in X.509 Certificates

On Standardization of Kerberos Names in X.509 Certificates. Paul Rabinovich Exostar, LLC 6 th Annual PKI R&D Workshop April 18, 2007. Names Subject Subject alternative name E-mail address DNS name IP address URI X.500 name Other Name constraints. Other name Type Name proper

anneliese
Download Presentation

On Standardization of Kerberos Names in X.509 Certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Standardization of Kerberos Names in X.509 Certificates Paul Rabinovich Exostar, LLC 6th Annual PKI R&D Workshop April 18, 2007

  2. Names Subject Subject alternative name E-mail address DNS name IP address URI X.500 name Other Name constraints Other name Type Name proper Examples Federal Agency Smart Credential Number (FASC-N) Permanent identifier (RFC 4043) User principal name Names in X.509 Certificates

  3. MS Windows Kerberos Ubiquitous in enterprise Primary name: UPN UNIX Vintela Authentication Service Centrify DirectControl J2EE GSS-API and Kerberos Ubiquitous in enterprise Kerberos names Ubiquitous Unique Stable Kerberos Names: Applicability

  4. Requirements • Standardize • Name representation • Name constraint representation

  5. Option 1: MS Windows

  6. Option 1: Name Constraints [NameConstraintsExtension] Include=Permit Exclude=Exclude Critical=TRUE [Permit] UPN=xyz.com UPN=.xyz.com [Exclude] Exact match Subtree match

  7. Option 1: Analysis • Pros • Available everywhere MS Windows is • Cons • Proprietary object ID

  8. Option 2: RFC 1964 • Object ID • iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) krb5(2) krb5_name(1) • Name encoding • As in MS Windows • Name constraints • As in MS Windows

  9. Option 2: Analysis • Pros • Standard-based object ID • Cons • Name encoding foreign to Kerberos

  10. Option 3: PKINIT KerberosString ::= IA5String Realm ::= KerberosString PrincipalName ::= SEQUENCE { name-type [0] Int32, name-string [1] SEQUENCE OF KerberosString } id-pkinit-san OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) x509SanAN (2) } KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } NT_PRINCIPAL OtherName type OtherName value

  11. Option 3: Name Constraints • Exact match • EXAMPLE.COM matches EXAMPLE.COM • Suffix match • %EXAMPLE.COM matches FOO.EXAMPLE.COM • Escaping • \%EXAMPLE.COM matches %EXAMPLE.COM • \\%EXAMPLE.COM matches \%EXAMPLE.COM

  12. Option 3: Analysis • Pros • Standard-based object ID • Kerberos-native name encoding • Cons • Still OtherName

  13. Option 4: X.509 GeneralName • Name encoding • Name constraint: As in Option 3 GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER, krb5PrincipalName [9] KRB5PrincipalName }

  14. Option 4: Analysis • Pros • Well-known name type • Kerberos-native name encoding • Cons • Requires change to X.509 GeneralName • Not too bad: backward compatibility still maintained

  15. Summary • Regardless of the option need to • Take advantage of Kerberos principal names • Standardize name encoding • Define syntax and semantics for name constraints

  16. Acknowledgement • David Cooper (NIST) for helpful suggestions

  17. Thank You.

More Related