[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS gss/doc/specification
|
From: |
gss-commit |
|
Subject: |
CVS gss/doc/specification |
|
Date: |
Tue, 26 Oct 2004 00:26:04 +0200 |
Update of /home/cvs/gss/doc/specification
In directory dopio:/tmp/cvs-serv13078
Added Files:
draft-hartman-gss-naming-01.txt
Log Message:
Add.
--- /home/cvs/gss/doc/specification/draft-hartman-gss-naming-01.txt
2004/10/25 22:26:04 NONE
+++ /home/cvs/gss/doc/specification/draft-hartman-gss-naming-01.txt
2004/10/25 22:26:04 1.1
Network Working Group S. Hartman
Internet-Draft MIT
Expires: April 24, 2005 October 24, 2004
GSSAPI Mechanisms without a Single Canonical Name
draft-hartman-gss-naming-01.txt
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 24, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
The Generic Security Services API (GSSAPI) provides a naming
architecture that supports name-based authorization. GSSAPI
authenticates two named parties to each other. Names can be stored
on access control lists to make authorization decisions. Advances in
security mechanisms and the way implementers wish to use GSSAPI
require this model to be extended. Some mechanisms such as
public-key mechanisms do not have a single name to be used. Other
mechanisms such as Kerberos allow names to change as people move
Hartman Expires April 24, 2005 [Page 1]
�
Internet-Draft GSS Name Attributes October 2004
around organizations. This document proposes expanding the
definition of GSSAPI names to deal with these situations.
Hartman Expires April 24, 2005 [Page 2]
�
Internet-Draft GSS Name Attributes October 2004
1. Introduction
The Generic Security Services API [1] provides a function called
gss_export_name that will flatten a GSSAPI name into a binary blob
suitable for comparisons. This binary blob can be stored on ACLs and
then authorization decisions can be made simply by comparing the name
exported from a newly accepted context to the name on the ACL.
As a side effect of this model, each mechanism name needs to be able
to be represented in a single canonical form and anyone importing
that name needs to be able to retrieve the canonical form.
Several security mechanisms have been proposed for which this naming
architecture is too restrictive. In some cases it is not always
possible to canonicalize any name that is imported. In other cases
there is no single canonical name. In addition, there is a desire to
have more complex authorization models in GSSAPI than the current
name based authorization model.
This draft discusses two different cases where the current GSSAPI
naming seems inadequate. Two proposals that have been discussed
within the IETF Kitten community are discussed. Finally, the
problems that need to be resolved to adopt either of these proposals
are discussed.
Hartman Expires April 24, 2005 [Page 3]
�
Internet-Draft GSS Name Attributes October 2004
2. Kerberos Naming
The Kerberos Referrals draft [2] proposes a new type of Kerberos name
called an enterprise name. The intent is that the enterprise name is
an alias that the user knows for themselves and can use to login.
The Kerberos KDC translates this name into a normal Kerberos
principal and gives the user tickets for this principal. This normal
principal is used for authorization. The intent is that the
enterprise name tracks the user as they move throughout the
organization, even if they move to parts of the organization that
have different naming policies. The name they type at login remains
constant, but the Kerberos principal used to authenticate them to
services changes.
Performing a mapping from enterprise name to principal name is not
generally possible for unauthenticated services. So in order to
canonicalize an enterprise name to get a principal, a service must
have credentials. However it may not be desirable to allow services
to map enterprise names to principal names in the general case.
Also, Kerberos does not (and does not plan to) provide a mechanism
for mapping enterprise names to principals besides authentication as
the enterprise name. So any such mapping would be vendor-specific.
With this feature in Kerberos, it is not possible to implement
gss_canonicalize_name for enterprise name types.
Another issue arises with enterprise names. IN some cases it would
be desirable to put the enterprise name on the ACL instead of a
principal name. Thus, it would be desirable to include the
enterprise name in the name exported by gss_export_name. However
then the exported name would change whenever the mapping changed,
defeating the purpose of including the enterprise name. So in some
cases it would be desirable to have the exported name be based on the
enterprise name and in others based on the principal name, but this
is not currently possible.
Another development also complicates GSSAPI naming for Kerberos.
Several vendors have been looking at mechanisms to include group
membership information in Kerberos authorization data. It is
desirable to put these group names on ACLs. Again, GSSAPI currently
has no mechanism to use this information.
Hartman Expires April 24, 2005 [Page 4]
�
Internet-Draft GSS Name Attributes October 2004
3. X.509 Names
X.509 names are at least as complex as Kerberos names. It seems like
you might want to use the subject name as the name to be exported in
a GSSAPI mechanism. However RFC 3280 [3] does not even require the
subject name to be a non-empty sequence. Instead there are cases
where the subjectAltName extension is the only thing to identify the
subject of the certificate. As in the case of Kerberos group
memberships, there may be many subjectAltName extensions available in
a certificate. Different applications will care about different
extensions. Thus there is no single value that can be defined as
the exported GSSAPI name that will be generally useful.
A profile of a particular X.509 GSSAPI mechanism could require a
specific name be used. However this would limit that mechanism to
require a particular type of certificate. There is interest in being
able to use arbitrary X.509 certificates with GSSAPI for some
applications.
Hartman Expires April 24, 2005 [Page 5]
�
Internet-Draft GSS Name Attributes October 2004
4. Composite Names
One proposal to solve these problems is to extend the concept of a
GSSAPI name to include a set of name attributes. Each attribute
would be an octet-string labeled by an OID. Examples of attributes
would include Kerberos enterprise names, group memberships in an
authorization infrastructure, Kerberos authorization data attributes
and subjectAltName attributes in a certificate. Several new
operations would be needed:
1. Add attribute to name
2. Query attributes of name
3. Query values of an attribute
4. Delete an attribute from a name
4.1 Usage of Name Attributes
Since attributes are part of GSSAPI names, the acceptor can retrieve
the attributes of the initiator's name from the context. These
attributes can then be used for authorization.
Most name attributes will probably not come from explicit operations
to add attributes to a name. Instead, name attributes will probably
come from mechanism specific credentials. Mechanism specific naming
and group membership can be mapped into name attributes by the
mechanism implementation. The specific form of this mapping will
general require protocol specification for each mechanism.
4.2 Open issues
This section describes parts of the proposal to add attributes to
names that will need to be explored before the proposal can become a
protocol specification.
Are mechanisms expected to be able to carry arbitrary name attributes
as part of a context establishment? At first it seems like this
would be desirable. However the point of GSSAPI is to establish an
authenticated context between two peers. In particular, a context
authenticates two named entities to each other. The names of these
entities and attributes associated with these names will be used for
authorization decisions. If an initiator or acceptor is allowed to
assert name attributes and the authenticity of these assertions is
not validated by the mechanisms, then security problems may result.
On the other hand, requiring that name attributes be mechanism
specific and only be carried by mechanisms that understand the name
attributes and can validate them compromises GSSAPI's place as a
generic API. Application authors would be forced to understand
mechanism-specific attributes to make authorization decisions. In
addition if mechanisms are not required to transport arbitrary
Hartman Expires April 24, 2005 [Page 6]
�
Internet-Draft GSS Name Attributes October 2004
attributes, then application authors will need to deal with different
implementations of the same mechanism that support different sets of
name attributes. One possible solution is to carry a source along
with each name attribute; this source could indicate whether the
attribute comes from a mechanism data structure or from the other
party in the authentication.
Another related question is how will name attributes be mapped into
their mechanism-specific forms. For example it would be desirable to
map many Kerberos authorization data elements into name attributes.
In the case of the Microsoft PAC, it would be desirable for some
applications to get the entire PAC. However in many cases, the
specific lists of security IDs contained in the PAC would be more
directly useful to an application. So there may not be a good
one-to-one mapping between the mechanism-specific elements and the
representation desirable at the GSSAPI layer.
Specific name matching rules need to be developed. How do names with
attributes compare? What is the effect of a name attribute on a
target name in gss_accept_sec_context?
4.3 Handling gss_export_name
For many mechanisms, there will be an obvious choice to use for the
name exported by gss_export_name. For example in the case of
Kerberos, the principal name can continue to be used as the exported
name. This will allow applications depending on existing GSSAPI
name-based authorization to continue to work. However it is probably
desirable to allow GSSAPI mechanisms for which gss_export_name cannot
meaningfully be defined. The behavior of gss_export_name in such
cases should probably be to return some error. Such mechanisms may
not work with existing applications and cannot conform to the current
version of the GSSAPI.
Hartman Expires April 24, 2005 [Page 7]
�
Internet-Draft GSS Name Attributes October 2004
5. Credential Extensions
An alternative to the name attributes proposal is to extend GSSAPI
credentials with extensions labeled by OIDs. Interfaces would be
[274 lines skipped]