Guidance for Authentication, Authorization, and Accounting (AAA) Key Management
RFC 4962
Document | Type |
RFC - Best Current Practice
(July 2007; No errata)
Also known as BCP 132
Was draft-housley-aaa-key-mgmt (individual in sec area)
|
|
---|---|---|---|
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4962 (Best Current Practice) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sam Hartman | ||
Send notices to | (None) |
Network Working Group R. Housley Request for Comments: 4962 Vigil Security BCP: 132 B. Aboba Category: Best Current Practice Microsoft July 2007 Guidance for Authentication, Authorization, and Accounting (AAA) Key Management Status of This Memo This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document provides guidance to designers of Authentication, Authorization, and Accounting (AAA) key management protocols. The guidance is also useful to designers of systems and solutions that include AAA key management protocols. Given the complexity and difficulty in designing secure, long-lasting key management algorithms and protocols by experts in the field, it is almost certainly inappropriate for IETF working groups without deep expertise in the area to be designing their own key management algorithms and protocols based on Authentication, Authorization, and Accounting (AAA) protocols. The guidelines in this document apply to documents requesting publication as IETF RFCs. Further, these guidelines will be useful to other standards development organizations (SDOs) that specify AAA key management. Housley & Aboba Best Current Practice [Page 1] RFC 4962 Guidance for AAA Key Management July 2007 Table of Contents 1. Introduction ....................................................2 1.1. Requirements Specification .................................3 1.2. Mandatory to Implement .....................................3 1.3. Terminology ................................................3 2. AAA Environment Concerns ........................................5 3. AAA Key Management Requirements .................................7 4. AAA Key Management Recommendations .............................13 5. Security Considerations ........................................14 6. Normative References ...........................................15 7. Informative References .........................................15 Appendix: AAA Key Management History ..............................20 Acknowledgments ...................................................22 1. Introduction This document provides architectural guidance to designers of AAA key management protocols. The guidance is also useful to designers of systems and solutions that include AAA key management protocols. AAA key management often includes a collection of protocols, one of which is the AAA protocol. Other protocols are used in conjunction with the AAA protocol to provide an overall solution. These other protocols often provide authentication and security association establishment. Given the complexity and difficulty in designing secure, long-lasting key management algorithms and protocols by experts in the field, it is almost certainly inappropriate for IETF working groups without deep expertise in the area to be designing their own key management algorithms and protocols based on Authentication, Authorization and Accounting (AAA) protocols. These guidelines apply to documents requesting publication as IETF RFCs. Further, these guidelines will be useful to other standards development organizations (SDOs) that specify AAA key management that depends on IETF specifications for protocols such as Extensible Authentication Protocol (EAP) [RFC3748], Remote Authentication Dial-In User Service (RADIUS) [RFC2865], and Diameter [RFC3588]. In March 2003, at the IETF 56 AAA Working Group Session, Russ Housley gave a presentation on "Key Management in AAA" [H]. That presentation established the vast majority of the requirements contained in this document. Over the last three years, this collection of requirements have become known as the "Housley Criteria". Housley & Aboba Best Current Practice [Page 2] RFC 4962 Guidance for AAA Key Management July 2007 1.1. Requirements Specification The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC 2119 [RFC2119]. An AAA key management proposal is not compliant with this specification if it fails to satisfy one or more of the MUST or MUST NOT statements. An AAA key management proposal that satisfies all the MUST, MUST NOT, SHOULD, and SHOULD NOT statements is said to beShow full document text