110 likes | 225 Views
Enhancing Credential Selection in IETF Protocols. Stefan Santesson stefans@microsoft.com. Problem. The client user has a set of credentials The service request the user to authenticate using a credential The user has several credential matching the criteria from the service.
E N D
Enhancing Credential Selection in IETF Protocols Stefan Santesson stefans@microsoft.com
Problem • The client user has a set of credentials • The service request the user to authenticate using a credential • The user has several credential matching the criteria from the service
Case study TLS and X.509 • Criteria restricted to CA names and public key algorithms • We have encountered many situations where this is not sufficient • Multipple roles • Different services under common roots
Proposal • http://www.ietf.org/internet-drafts/draft-santesson-credsel-01.txt • A comon data construct for credential selection that can be sent in multipple protocols • Currently generic, but may be restricted to X.509.
Design criteria • Generic • Simple design • Easy to use for clients • Agnostic to new credential format development • Extensible
Structure SelectionCriteria ::= SEQUENCE OF Criteria Criteria ::= { credentialType OBJECT IDENTIFIER --identifier for --credential type selectData SelectData } SelectData ::= SEQUENCE { basicSelectData [0] BasicSelectData OPTIONAL advancedSelectData [1] AdvancedSelectData OPTIONAL} AdvancedSelectData ::= { selectSyntaxID OBJECT IDENTIFIER selectData ANY DEFINED BY selectSyntaxID ] BasicSelectData ::= SEQUENCE { includeStrings [0] SelectStrings OPTIONAL excludeStrings [1] SelectStrings OPTIONAL } SelectStrings ::= SEQUENCE OF AltValues AltValues ::= SEQUENCE OF OCTET STRING
Example X.509 BasicSelectData (SEQUENCE) Include strings (SEQUENCE) - Altvalues (SEQUENCE) - Certificate policy 1 OID - Certificate policy 2 OID - Altvalues (SEQUENCE) - Key usage extension (with only digital signature bit set) Exclude strings (SEQUENCE) - Altvalues (SEQUENCE) - EKU A OID - EKU B OID Certificate match if all of the following is true: • includes certificate policy 1 or certificate policy 2 (or both) • includes a key usage extension with only the digital signature bit set • does not contain EKU OID A • does not contain EKU OID B
Example – Name attribute search Tag Length Value __________________________________________________________________ 30 37 SEQUENCE 06 3 OBJECT IDENTIFIER commonName (2 5 4 3) 13 30 PrintableString 'Microsoft Corp Enterprise CA 2' Search octet string DER: 30 2506 03 85 04 03 13 1e 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 20 45 6e 74 65 72 70 72 69 73 65 20 43 41 20 32
X.509 – Can and can’t do • Can do • Search for specific OIDs and attributes such as Certificate policies, EKUs • Search for complete extensions, such as acceptable key usage extensions • Can’t do • Search for an extension with specific partial content when length of extension is unknown • Search for X somewhere in part Y'
Kerberos ticket – RFC 4120 • Search possible on Realm and Principal Name only • Is it useful? Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER (5), realm [1] Realm, sname [2] PrincipalName, enc-part [3] EncryptedData -- EncTicketPart }
Way Forward • Good or bad idea? • Terminology – Credential? • Progress as individual submission or within a work group? • Implementation in Protocols