Enhancing%20Credential%20Selection%20in%20IETF%20Protocols

1
Enhancing Credential Selection in IETF Protocols

• Stefan Santesson
• stefans_at_microsoft.com

2
Problem

• The client user has a set of credentials
• The service request the user to authenticate
  using a credential
• The user has several credential matching the
  criteria from the service

3
Case study TLS and X.509

• Criteria restricted to CA names and public key
  algorithms
• We have encountered many situations where this is
  not sufficient
• Multipple roles
• Different services under common roots

4
Proposal

• http//www.ietf.org/internet-drafts/draft-santesso
  n-credsel-01.txt
• A comon data construct for credential selection
  that can be sent in multipple protocols
• Currently generic, but may be restricted to X.509.

5
Design criteria

• Generic
• Simple design
• Easy to use for clients
• Agnostic to new credential format development
• Extensible

6
Structure

• SelectionCriteria SEQUENCE OF Criteria
• Criteria
• credentialType OBJECT IDENTIFIER
  --identifier for
• 
  --credential type
• selectData SelectData
• SelectData SEQUENCE
• basicSelectData 0 BasicSelectData
  OPTIONAL
• advancedSelectData 1
  AdvancedSelectData OPTIONAL
• AdvancedSelectData
• selectSyntaxID OBJECT IDENTIFIER
• selectData ANY DEFINED BY
  selectSyntaxID
• BasicSelectData SEQUENCE
• includeStrings 0 SelectStrings
  OPTIONAL
• excludeStrings 1 SelectStrings
  OPTIONAL

7
Example X.509

• BasicSelectData (SEQUENCE)
• Include strings (SEQUENCE)
• - Altvalues (SEQUENCE)
• - Certificate policy 1 OID
• - Certificate policy 2 OID
• - Altvalues (SEQUENCE)
• - Key usage extension (with
  only digital signature bit set)
• Exclude strings (SEQUENCE)
• - Altvalues (SEQUENCE)
• - EKU A OID
• - EKU B OID
• Certificate match if all of the following is
  true
• includes certificate policy 1 or certificate
  policy 2 (or both)
• includes a key usage extension with only the
  digital signature bit set
• does not contain EKU OID A
• does not contain EKU OID B 

8
Example Name attribute search

• Tag Length Value
• ________________________________________________
  __________________
• 30 37 SEQUENCE
• 06 3 OBJECT IDENTIFIER commonName (2 5
  4 3)
• 13 30 PrintableString 'Microsoft Corp
  Enterprise CA 2'
• Search octet string
• DER 30 25 06 03 85 04 03 13 1e 4d 69 63 72
• 6f 73 6f 66 74 20 43 6f 72 70 20 45 6e
• 74 65 72 70 72 69 73 65 20 43 41 20 32

9
X.509 Can and cant do

• Can do
• Search for specific OIDs and attributes such as
  Certificate policies, EKUs
• Search for complete extensions, such as
  acceptable key usage extensions
• Cant do
• Search for an extension with specific partial
  content when length of extension is unknown
• Search for X somewhere in part Y'

10
Kerberos ticket RFC 4120

• Search possible on Realm and Principal Name only
• Is it useful?
• Ticket APPLICATION 1 SEQUENCE
• tkt-vno 0 INTEGER (5),
• realm 1 Realm,
• sname 2 PrincipalName,
• enc-part 3 EncryptedData --
  EncTicketPart

11
Way Forward

• Good or bad idea?
• Terminology Credential?
• Progress as individual submission or within a
  work group?
• Implementation in Protocols