Re: [kitten] Proposed GSS extension for explicit credential stores
Simo Sorce <simo@redhat.com> Tue, 03 April 2012 13:46 UTC
Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4753421F84B3 for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 06:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id om97FkJjcwbB for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 06:46:50 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 2F95921F847C for <kitten@ietf.org>; Tue, 3 Apr 2012 06:46:48 -0700 (PDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q33Dkk20021045 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 3 Apr 2012 09:46:46 -0400
Received: from [10.3.113.104] (ovpn-113-104.phx2.redhat.com [10.3.113.104]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q33DkjBf003754; Tue, 3 Apr 2012 09:46:45 -0400
From: Simo Sorce <simo@redhat.com>
To: Simon Josefsson <simon@josefsson.org>
In-Reply-To: <87y5qdrocb.fsf@latte.josefsson.org>
References: <CAK3OfOgh7TvkxvdtsNvNHn9YMTgWa_1aJ4=ozkrujvHxG8K0-Q@mail.gmail.com> <CAK3OfOg5NEc5coye1jPNdQ_X1J0SWdRxo_cG58ozCkLL23izjg__2631.29941090501$1333429012$gmane$org@mail.gmail.com> <87y5qdrocb.fsf@latte.josefsson.org>
Content-Type: text/plain; charset="UTF-8"
Organization: Red Hat, Inc.
Date: Tue, 03 Apr 2012 09:46:45 -0400
Message-ID: <1333460805.22628.262.camel@willson.li.ssimo.org>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
Cc: kitten@ietf.org
Subject: Re: [kitten] Proposed GSS extension for explicit credential stores
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 13:46:51 -0000
On Tue, 2012-04-03 at 14:28 +0200, Simon Josefsson wrote: > Nico Williams <nico@cryptonector.com> writes: > > > Simo and I have a need for extensions for acquiring credentials from, > > and storing credentials into, an explicit credential store as opposed > > to the one implied by process credentials/context/environment. > > I have often needed this too. > > > The abstract API representation of this would probably be > > > > SET OF SEQUENCE { > > element_type_urn OCTET STRING, > > element OCTET STRING > > } > > It seems nice, but I haven't digested it fully yet. > > > URNs will be provided for at least the following: > > > > - ccache values > > Values will be of the form [<TYPE>:]<ccache-path-or-id>, such as > > the familiar "FILE:/tmp/somecc" but also "LSA:" and "CCAPI:...". > > > > - keytab values > > Same as with ccache values, but naming a keytab. > > > > We'll probably provide URNs for other store element types, such as: > > > > - PKCS#11 URI > > See http://tools.ietf.org/html/draft-pechanec-pkcs11uri-06 > > > > We have debated, but not reached a conclusion, other possible element > > types such as: > > > > - User-ID, username > > > > - AFS PAG > > I'd really like to see SAML SP metadata included here initially, and > would be willing to help with writing. For simplicity, you could have > multiple URns here, right? I'm thinking something like this: > > urn.ietf.kitten.saml.sp.metadata-file => > "/etc/myapp/sp-metadata.xml" > > urn.ietf.kitten.saml.sp.key-file => > "/etc/myapp/sp-key.pem" > > urn.ietf.kitten.saml.sp.cert-file => > "/etc/myapp/sp-cert.pem" > > urn.ietf.kitten.saml.sp.metadata => > "<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ..." > > urn.ietf.kitten.saml.sp.cert => > "-----BEGIN CERTIFICATE -----\nMII..." > > Alternatively, there could be a "struct" approach for SAML SP > credentials if you wanted to use only one URN for each credential, > however it gets a bit more ugly: > > urn.ietf.kitten.saml.sp => > "metadata_file=/etc/myapp/sp-metadata.xml, key_file=/etc/myapp/sp-key.pem, ..." > > Thoughts? Although values are opaque a rule we try to follow is to not put credentials directly in there, but always use files and paths for anything that is longer that a few hundred characters or unprintable. These strings are supposed to be stored in configuration files, and we do not want to force admins in a corner by requiring to set credentials in a config file that also needs to be readable to users that shouldn't have access to some of the credentials. This should be the guiding principle in defining the values. Simo. -- Simo Sorce * Red Hat, Inc * New York
- [kitten] Proposed GSS extension for explicit cred… Nico Williams
- Re: [kitten] Proposed GSS extension for explicit … Simon Josefsson
- Re: [kitten] Proposed GSS extension for explicit … Simo Sorce
- Re: [kitten] Proposed GSS extension for explicit … Nico Williams