kx509 Kerberized Certificate Issuance Protocol in Use in 2012
RFC 6717
Document | Type |
RFC - Informational
(August 2012; No errata)
Was draft-hotz-kx509 (individual)
|
|
---|---|---|---|
Authors | Henry Hotz , Russ Allbery | ||
Last updated | 2018-12-20 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 6717 (Informational) | |
Telechat date | |||
Responsible AD | Stephen Farrell | ||
Send notices to | (None) |
Independent Submission H. Hotz Request for Comments: 6717 Jet Propulsion Lab, Caltech Category: Informational R. Allbery ISSN: 2070-1721 Stanford University August 2012 kx509 Kerberized Certificate Issuance Protocol in Use in 2012 Abstract This document describes a protocol, called kx509, for using Kerberos tickets to acquire X.509 certificates. These certificates may be used for many of the same purposes as X.509 certificates acquired by other means, but if a Kerberos infrastructure already exists, then the overhead of using kx509 may be much less. While not standardized, this protocol is already in use at several large organizations, and certificates issued with this protocol are recognized by the International Grid Trust Federation. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6717. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Hotz & Allbery Informational [Page 1] RFC 6717 kx509 August 2012 Table of Contents 1. Introduction ....................................................2 1.1. Requirements Language ......................................3 2. Protocol Data ...................................................3 2.1. Request Packet .............................................3 2.2. Reply Packet ...............................................4 3. Protocol Operation ..............................................7 4. Acknowledgements ................................................8 5. IANA Considerations .............................................8 6. Security Considerations .........................................9 7. References .....................................................10 7.1. Normative References ......................................10 7.2. Informative References ....................................10 Appendix A. Certificate Caching and Deployment Considerations ....12 Appendix B. Historic Extensions ..................................12 Appendix C. Example Exchange .....................................12 1. Introduction The two primary ways of providing cryptographically secure identification on the Internet are Kerberos tickets [RFC4120] and X.509 [RFC5280] [X.509] certificates. In practical IT infrastructure where both are in use, it's highly desirable to deploy their support in a way that guarantees they both authoritatively refer to the same entities. There is already a widely adopted standard for using X.509 certificates to acquire corresponding Kerberos tickets called Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) [RFC4556]. This document describes the kx509 protocol for supporting the symmetric operation of acquiring X.509 certificates using Kerberos tickets. Preparing and reviewing this document exposed a number of issues that are discussed in the security considerations. Unfortunately, some of them can only be addressed with an incompatible upgrade to this protocol. The IETF's Kerberos working group has an expected work item to address these issues. The International Grid Trust Federation [IGTF] supports the use of Short Lived Credential Services [SLCS] as a means to authenticate for resource usage based on other, native identity stores that an organization maintains. X.509 certificates issued using the kx509 protocol based on a Kerberos identity is one of the recognized credential services. The certificate profile for that use is outside the scope of this RFC but is described in [GRID-prof]. Hotz & Allbery Informational [Page 2]Show full document text