ietf
[Top] [All Lists]

Fwd: TLS authorizations draft

2006-05-18 07:19:40
I received this note from Angelos Keromytis regarding the draft-housley-tls-authz-extns document. I plan to accommodate this request unless someone raises an objection.

Russ

Date: Fri, 05 May 2006 19:03:50 -0400
From: "Angelos D. Keromytis" <angelos(_at_)cs(_dot_)columbia(_dot_)edu>
To: housley(_at_)vigilsec(_dot_)com
Subject: TLS authorizations draft

Russ,
Can I talk you into adding support for KeyNote? Basically, in 2.3:

      enum {
         x509_attr_cert(0), saml_assertion(1), x509_attr_cert_url(2),
         saml_assertion_url(3), keynote_assertion_list(4) (255)
      } AuthzDataFormat;

and then the text:

   When the keynote_assertion_list value is present, the authorization
   data is a list of KeyNote assertions that conforms to the profile in
   RFC 2704 [KEYNOTE].

In Section 3.3, change the enum to be as above, and the first struct to be:

     struct {
         AuthzDataFormat authz_format;
         select (AuthzDataFormat) {
            case x509_attr_cert:         X509AttrCert;
            case saml_assertion:         SAMLAssertion;
            case x509_attr_cert_url:     URLandHash;
            case saml_assertion_url:     URLandHash;
            case keynote_assertion_list: KeyNoteAssertionList;
         }
      } AuthorizationDataEntry;

followed by:

     opaque KeyNoteAssertionList<1..2^16-1>;

A new section:

3.3.4 KeyNote Assertion List

   When KeyNoteAssertion List is used, the field contains an
   ASCII-encoded list of signed KeyNote assertions, as described
   in RFC 2704 [KEYNOTE].  The assertions are separated by
   two '\n' (newline) characters.  A KeyNote assertion is
   a structure similar to a public key certificate; the main
   difference is that instead of a binding between a name
   and a public key, KeyNote assertions bind public keys to
   authorization rules that are evaluated by the peer when
   the sender later issues specific requests.

   When making an authorization decision based on a list of
   KeyNote assertions, proper linkage between the KeyNote
   assertions and the public key certificate that is transferred
   in the TLS Certificate message is needed.  Receivers of a
   a KeyNote assertion list should initialize the ACTION_AUTHORIZER
   variable to be the sender's public key, which was used to
   authenticate the TLS exchange.

And the citation:

[KEYNOTE]  "The KeyNote Trust-Management System, Version 2"
           Matt Blaze, Joan Feigenbaum, John Ioannidis, and Angelos D.
           Keromytis. Request For Comments (RFC) 2704, September 1999.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>