| draft-josefsson-sasl-external-channel-02.txt | draft-josefsson-sasl-external-channel-03.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
| Internet-Draft SJD AB | Internet-Draft SJD AB | |||
| Intended status: Standards Track April 14, 2009 | Intended status: Standards Track April 18, 2009 | |||
| Expires: October 16, 2009 | Expires: October 20, 2009 | |||
| SASL Mechanism Family for External Authentication: EXTERNAL-* | SASL Mechanism Family for External Authentication: EXTERNAL-* | |||
| draft-josefsson-sasl-external-channel-02 | draft-josefsson-sasl-external-channel-03 | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. This document may contain material | provisions of BCP 78 and BCP 79. This document may contain material | |||
| from IETF Documents or IETF Contributions published or made publicly | from IETF Documents or IETF Contributions published or made publicly | |||
| available before November 10, 2008. The person(s) controlling the | available before November 10, 2008. The person(s) controlling the | |||
| copyright in some of this material may not have granted the IETF | copyright in some of this material may not have granted the IETF | |||
| Trust the right to allow modifications of such material outside the | Trust the right to allow modifications of such material outside the | |||
| IETF Standards Process. Without obtaining an adequate license from | IETF Standards Process. Without obtaining an adequate license from | |||
| skipping to change at page 1, line 42 | skipping to change at page 1, line 42 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on October 16, 2009. | This Internet-Draft will expire on October 20, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents in effect on the date of | |||
| publication of this document (http://trustee.ietf.org/license-info). | publication of this document (http://trustee.ietf.org/license-info). | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. | and restrictions with respect to this document. | |||
| Abstract | Abstract | |||
| This document describes a way to perform client authentication in the | This document describes a way to perform client authentication in the | |||
| Simple Authentication and Security Layer (SASL) framework by | Simple Authentication and Security Layer (SASL) framework by | |||
| referring to the end-user authentication provided by an external | referring to the client authentication provided by an external | |||
| security layer. We specify a SASL mechanism family EXTERNAL-* and | security layer. We specify a SASL mechanism family EXTERNAL-* and | |||
| one instance EXTERNAL-TLS that rely on the Transport Layer Security | one instance EXTERNAL-TLS that rely on the Transport Layer Security | |||
| (TLS) protocol. This mechanism differs to the existing EXTERNAL | (TLS) protocol. This mechanism differs to the existing EXTERNAL | |||
| mechanism by alleviating the a priori assumptions that servers and | mechanism by alleviating the a priori assumptions that servers and | |||
| clients needs somehow negotiate out of band which secure channel that | clients needs somehow negotiate out of band which secure channel that | |||
| is intended. This document also discuss the implementation of | is intended. This document also discuss the implementation of | |||
| authorization decisions. | authorization decisions. | |||
| See <http://josefsson.org/external-channel/> for more information. | See <http://josefsson.org/external-channel/> for more information. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Specification of EXTERNAL-* Mechanism Family . . . . . . . . . 4 | 2. Specification of EXTERNAL-* Mechanism Family . . . . . . . . . 4 | |||
| 3. Specification of EXTERNAL-TLS Mechanism . . . . . . . . . . . . 6 | 3. Specification of EXTERNAL-TLS Mechanism . . . . . . . . . . . 6 | |||
| 4. Making Authorization Decisions . . . . . . . . . . . . . . . . 6 | 4. Making Authorization Decisions . . . . . . . . . . . . . . . . 6 | |||
| 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 9 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| The EXTERNAL mechanism, described in Appendix A of [RFC4422] allows a | The EXTERNAL mechanism, described in Appendix A of [RFC4422] allows a | |||
| client to request the server to use credentials established by means | client to request the server to use credentials established by means | |||
| external to the mechanism to authenticate the client. The external | external to the mechanism to authenticate the client. The external | |||
| means may be, for instance, TLS [RFC5246] or IP Security [RFC4301] | means may be, for instance, TLS [RFC5246] or IP Security [RFC4301] | |||
| services. | services. | |||
| The EXTERNAL mechanism requires some a prior agreement between the | The EXTERNAL mechanism requires some a prior agreement between the | |||
| client and the server regarding which external channel, and | client and the server regarding which external channel, and | |||
| consequently which external credentials, should be used for | consequently which external credentials, should be used for | |||
| authentication. In practice this has often meant that the EXTERNAL | authentication. In practice this has often meant that the EXTERNAL | |||
| mechanism is only used when there is tight out of band interaction | mechanism is only used when there is tight out of band interaction | |||
| between the server administration and client user. This has impacted | between the server administration and client user. This has impacted | |||
| the interoperability of the EXTERNAL mechanism. | the interoperability of the EXTERNAL mechanism. | |||
| The EXTERNAL-* mechanism family, specified in this document, is | The EXTERNAL-* mechanism family, specified in this document, is | |||
| similar to the EXTERNAL mechanism in that it relies on an external | similar to the EXTERNAL mechanism in that it relies on an external | |||
| channel to perform the user authentication. However, EXTERNAL-* | channel to perform the client authentication. However, EXTERNAL-* | |||
| provides a way for the client to provide an identifier of the | provides a way for the client to provide an identifier of the | |||
| external channel that is intended to provide the user credentials. | external channel that is intended to provide the client credentials. | |||
| The intention is that the server need not rely on a priori | The intention is that the server need not rely on a priori | |||
| arrangement to identify the secure channel that was used, but can | arrangement to identify the secure channel that was used, but can | |||
| automatically find the intended channel and re-use its credentials | automatically find the intended channel and re-use its credentials | |||
| for the SASL authentication. Further, upon successful | for the SASL authentication. Further, upon successful | |||
| authentication, the client knows that the server used credentials | authentication, the client knows that the server used credentials | |||
| from the indicated security channel. | from the indicated security channel. | |||
| In the EXTERNAL-* mechanism family, the external channel is | In the EXTERNAL-* mechanism family, the external channel is | |||
| identified through the SASL mechanism name. | identified through the SASL mechanism name. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | ||||
| document are to be interpreted as described in [RFC2119]. | ||||
| 2. Specification of EXTERNAL-* Mechanism Family | 2. Specification of EXTERNAL-* Mechanism Family | |||
| The name of the mechanism family is "EXTERNAL-". | The name of the mechanism family is "EXTERNAL-". | |||
| The mechanism family does not provide a security layer. It provides | The mechanism family does not provide a security layer. It provides | |||
| similar functionality by relying on an external channel. | similar functionality by relying on an external channel. | |||
| The mechanism is capable of transferring an authorization identity | The mechanism is capable of transferring an authorization identity | |||
| string. If the authorization identity string is empty, the client is | string. If the authorization identity string is empty, the client is | |||
| requesting to act as the identity the server has associated with the | requesting to act as the identity the server has associated with the | |||
| skipping to change at page 6, line 19 | skipping to change at page 6, line 23 | |||
| Otherwise the exchange is successful. When indicating a successful | Otherwise the exchange is successful. When indicating a successful | |||
| outcome, additional data is not provided. | outcome, additional data is not provided. | |||
| 3. Specification of EXTERNAL-TLS Mechanism | 3. Specification of EXTERNAL-TLS Mechanism | |||
| The EXTERNAL-TLS mechanism uses client credentials established by the | The EXTERNAL-TLS mechanism uses client credentials established by the | |||
| outer TLS [RFC5246] channel. Only the inner-most TLS channel is | outer TLS [RFC5246] channel. Only the inner-most TLS channel is | |||
| intended. For example, if an application opens up a TLS channel and | intended. For example, if an application opens up a TLS channel and | |||
| starts SASL negotiation, and if that communication happens to be sent | starts SASL negotiation, and if that communication happens to be sent | |||
| over a TLS-based VPN, the credentials for the TLS-based VPN is not | over a TLS-based VPN, the intended channel is the TLS channel opened | |||
| considered. | by the application. | |||
| The server MUST NOT advertise the EXTERNAL-TLS mechanism if the | The server MUST NOT advertise the EXTERNAL-TLS mechanism if the | |||
| client did not provided any supported form of client-side | client did not provided any supported form of client-side | |||
| authentication in the TLS channel, e.g., X.509 client certificate, | authentication in the TLS channel, e.g., X.509 client certificate, | |||
| OpenPGP client key [RFC5081], or SRP [RFC5054]. The client MUST only | OpenPGP client key [RFC5081], or SRP [RFC5054]. The client MUST only | |||
| request the EXTERNAL-TLS if it wishes to re-use the TLS client | request the EXTERNAL-TLS if it wishes to re-use the TLS client | |||
| credentials for the SASL application. | credentials for the SASL application. | |||
| 4. Making Authorization Decisions | 4. Making Authorization Decisions | |||
| skipping to change at page 8, line 21 | skipping to change at page 8, line 24 | |||
| C: simon | C: simon | |||
| S: a002 NO "Cannot assume requested authorization identity" | S: a002 NO "Cannot assume requested authorization identity" | |||
| Note how the server rejects the authentication attempt with an | Note how the server rejects the authentication attempt with an | |||
| authorization-related error message. Presumably the client | authorization-related error message. Presumably the client | |||
| credentials presented in the TLS session does not give the client | credentials presented in the TLS session does not give the client | |||
| authority to assume the identity of "simon". | authority to assume the identity of "simon". | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| The IANA is request to add to the SASL mechanisms registry the | The IANA is requested to add to the SASL mechanisms registry the | |||
| following entry. | following entry. | |||
| Subject: Registration of SASL mechanism family EXTERNAL-* | Subject: Registration of SASL mechanism family EXTERNAL-* | |||
| SASL family name (or prefix for the family): EXTERNAL- | SASL family name (or prefix for the family): EXTERNAL- | |||
| Security considerations: [THIS-DOC] | Security considerations: [THIS-DOC] | |||
| Published specification (recommended): [THIS-DOC] | Published specification (recommended): [THIS-DOC] | |||
| Person & email address to contact for further information: | Person & email address to contact for further information: | |||
| Simon Josefsson <simon@josefsson.org> | Simon Josefsson <simon@josefsson.org> | |||
| Intended usage: COMMON | Intended usage: COMMON | |||
| Owner/Change controller: Simon Josefsson <simon@josefsson.org> | Owner/Change controller: Simon Josefsson <simon@josefsson.org> | |||
| IANA will register new SASL mechanism names under the "EXTERNAL-" | ||||
| namespace on a First Come First Served basis, as defined in | ||||
| [RFC5226]. IANA has the right to reject obviously bogus registration | ||||
| requests, but will perform no review of claims made in the | ||||
| registration form. | ||||
| Registration of a SASL mechanism under the "EXTERNAL-" namespace is | ||||
| requested by filling in the same template used in [RFC4422] using a | ||||
| name prefixed with "EXTERNAL-". | ||||
| While this registration procedure does not require expert review, | ||||
| authors of SASL mechanisms are encouraged to seek community review | ||||
| and comment whenever that is feasible. Authors may seek community | ||||
| review by posting a specification of their proposed mechanism as an | ||||
| Internet-Draft. SASL mechanisms intended for widespread use should | ||||
| be standardized through the normal IETF process, when appropriate. | ||||
| 7. Security Considerations | 7. Security Considerations | |||
| The security of external channel is critical to the security of this | The security of external channel is critical to the security of this | |||
| mechanism. It is important that the client authentication that | mechanism. It is important that the client authentication that | |||
| occurs in the outer security channel is cryptographically bound to | occurs in the outer security channel is cryptographically bound to | |||
| the confidentiality or integrity services that protects the security | the confidentiality or integrity services that protects the security | |||
| channel. | channel. | |||
| The EXTERNAL-* mechanism family does not authenticate users itself, | The EXTERNAL-* mechanism family does not authenticate clients itself, | |||
| it relies on implementation to perform the authentication as part of | it relies on implementation to perform the authentication as part of | |||
| the external channel. Care must be taken to ensure that the client | the external channel. Care must be taken to ensure that the client | |||
| credential has been authenticated, rather than just blindly accepted | credential has been authenticated, rather than just blindly accepted | |||
| as part of a leap-of-faith setup. | as part of a leap-of-faith setup. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| The EXTERNAL-* mechanism family, and significant amount of text in | Significant amount of text in this document is copied from SASL | |||
| this document, is based on the EXTERNAL mechanism in Appendix A of | [RFC4422]. | |||
| SASL [RFC4422]. | ||||
| The document was improved by discussion in the SASL Working Group | ||||
| between Chris Newman, Philip Guenther, Alexey Melnikov, Hallvard B | ||||
| Furuseth, Nicolas Williams, Sam Hartman, Jeffrey Hutzelman, and Kurt | ||||
| Zeilenga. | ||||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | ||||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||
| [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | |||
| Security Layer (SASL)", RFC 4422, June 2006. | Security Layer (SASL)", RFC 4422, June 2006. | |||
| [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, January 2008. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| skipping to change at page 9, line 39 | skipping to change at page 10, line 24 | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, | [RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, | |||
| "Using the Secure Remote Password (SRP) Protocol for TLS | "Using the Secure Remote Password (SRP) Protocol for TLS | |||
| Authentication", RFC 5054, November 2007. | Authentication", RFC 5054, November 2007. | |||
| [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport | [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport | |||
| Layer Security (TLS) Authentication", RFC 5081, | Layer Security (TLS) Authentication", RFC 5081, | |||
| November 2007. | November 2007. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | ||||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | ||||
| May 2008. | ||||
| Author's Address | Author's Address | |||
| Simon Josefsson | Simon Josefsson | |||
| SJD AB | SJD AB | |||
| Email: simon@josefsson.org | Email: simon@josefsson.org | |||
| End of changes. 17 change blocks. | ||||
| 20 lines changed or deleted | 52 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||