1 / 11

Enhancing Credential Selection in IETF Protocols

Enhancing Credential Selection in IETF Protocols. Stefan Santesson stefans@microsoft.com. Problem. The client user has a set of credentials The service request the user to authenticate using a credential The user has several credential matching the criteria from the service.

presley
Download Presentation

Enhancing Credential Selection in IETF Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhancing Credential Selection in IETF Protocols Stefan Santesson stefans@microsoft.com

  2. Problem • The client user has a set of credentials • The service request the user to authenticate using a credential • The user has several credential matching the criteria from the service

  3. Case study TLS and X.509 • Criteria restricted to CA names and public key algorithms • We have encountered many situations where this is not sufficient • Multipple roles • Different services under common roots

  4. Proposal • http://www.ietf.org/internet-drafts/draft-santesson-credsel-01.txt • A comon data construct for credential selection that can be sent in multipple protocols • Currently generic, but may be restricted to X.509.

  5. Design criteria • Generic • Simple design • Easy to use for clients • Agnostic to new credential format development • Extensible

  6. Structure SelectionCriteria ::= SEQUENCE OF Criteria Criteria ::= { credentialType OBJECT IDENTIFIER --identifier for --credential type selectData SelectData } SelectData ::= SEQUENCE { basicSelectData [0] BasicSelectData OPTIONAL advancedSelectData [1] AdvancedSelectData OPTIONAL} AdvancedSelectData ::= { selectSyntaxID OBJECT IDENTIFIER selectData ANY DEFINED BY selectSyntaxID ] BasicSelectData ::= SEQUENCE { includeStrings [0] SelectStrings OPTIONAL excludeStrings [1] SelectStrings OPTIONAL } SelectStrings ::= SEQUENCE OF AltValues AltValues ::= SEQUENCE OF OCTET STRING

  7. Example X.509 BasicSelectData (SEQUENCE) Include strings (SEQUENCE) - Altvalues (SEQUENCE) - Certificate policy 1 OID - Certificate policy 2 OID - Altvalues (SEQUENCE) - Key usage extension (with only digital signature bit set) Exclude strings (SEQUENCE) - Altvalues (SEQUENCE) - EKU A OID - EKU B OID Certificate match if all of the following is true: • includes certificate policy 1 or certificate policy 2 (or both) • includes a key usage extension with only the digital signature bit set • does not contain EKU OID A • does not contain EKU OID B

  8. Example – Name attribute search Tag Length Value __________________________________________________________________ 30 37 SEQUENCE 06 3 OBJECT IDENTIFIER commonName (2 5 4 3) 13 30 PrintableString 'Microsoft Corp Enterprise CA 2' Search octet string DER: 30 2506 03 85 04 03 13 1e 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 20 45 6e 74 65 72 70 72 69 73 65 20 43 41 20 32

  9. X.509 – Can and can’t do • Can do • Search for specific OIDs and attributes such as Certificate policies, EKUs • Search for complete extensions, such as acceptable key usage extensions • Can’t do • Search for an extension with specific partial content when length of extension is unknown • Search for X somewhere in part Y'

  10. Kerberos ticket – RFC 4120 • Search possible on Realm and Principal Name only • Is it useful? Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER (5), realm [1] Realm, sname [2] PrincipalName, enc-part [3] EncryptedData -- EncTicketPart }

  11. Way Forward • Good or bad idea? • Terminology – Credential? • Progress as individual submission or within a work group? • Implementation in Protocols

More Related