diff options
Diffstat (limited to 'doc/standardisation/draft-ietf-krb-wg-kerberos-set-passwd-02.txt')
-rw-r--r-- | doc/standardisation/draft-ietf-krb-wg-kerberos-set-passwd-02.txt | 1793 |
1 files changed, 0 insertions, 1793 deletions
diff --git a/doc/standardisation/draft-ietf-krb-wg-kerberos-set-passwd-02.txt b/doc/standardisation/draft-ietf-krb-wg-kerberos-set-passwd-02.txt deleted file mode 100644 index a25d8096c..000000000 --- a/doc/standardisation/draft-ietf-krb-wg-kerberos-set-passwd-02.txt +++ /dev/null @@ -1,1793 +0,0 @@ - -Kerberos Working Group Nicolas Williams -INTERNET-DRAFT Sun Microsystems -Category: Standards Track Jonathan Trostle - Cisco Systems - - - - Kerberos Set/Change Password: Version 2 - <draft-ietf-krb-wg-kerberos-set-passwd-02.txt> - -Status of this Memo - - By submitting this Internet-Draft, I certify that any applicable - patent or other IPR claims of which I am aware have been disclosed, - and any of which I become aware will be disclosed, in accordance with - RFC 3668. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on January 12, 2005. - -Copyright Notice - - Copyright (C) The Internet Society (2004). All Rights Reserved. - -Abstract - - This document specifies an extensible protocol for setting keys and - changing the passwords of Kerberos V principals. - -Table of Contents - - 1 Introduction - 2 The Protocol - 2.1 Transports - 2.2 Protocol Framing - 2.3 Protocol version negotiation - 2.3.1 Protocol Major Version Negotiation - 2.3.2 Protocol Minor Version Negotiation - 2.4 Use of Kerberos V - -N. Williams et. al. [Page 1] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - 2.5 Use of ASN.1 - 2.6 Internationalization - 2.6.1 Normalization Forms for UTF-8 Strings - 2.6.2 Language Negotiation - 2.7 Protocol Extensibility - 2.8 Protocol Subsets - 3 Protocol Elements - 3.1 PDUs - 3.2 Operations - 3.2.1 Null - 3.2.2 Change Kerberos Password - 3.2.3 Set Kerberos Password - 3.2.4 Set Kerberos Keys - 3.2.5 Generate Kerberos Keys - 3.2.6 Get New Keys - 3.2.7 Commit New Keys - 3.2.8 Get Password Quality Policy - 3.2.9 Get Principal Aliases - 3.2.10 Get Realm's Supported Kerberos V Version and Features - 4 ASN.1 Module - 6 IANA Considerations - 7 Security Considerations - 8 Acknowledgements - 9 References - 9.1 Normative References - 9.2 Informative References - 10 Authors' Addresses - 11 Notes to the RFC Editor - -Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119]. - -1 Introduction - - Up to this point Kerberos V has lacked a single, standard protocol - for changing passwords and keys. While several vendor-specific - protocols exist for changing Kerberos passwords/keys, none are - properly internationalized and all are incomplete in one respect or - another and none are sufficiently extensible to cope with new - features that may be added to Kerberos V at some future time. - - This document defines a protocol that is somewhat backward-compatible - with the "kpasswd" protocol defined in [RFC3244] that uses more or - less the same protocol framing. - - This new protocol is designed to be extensible and properly - internationalized. - -2 The Protocol - - -N. Williams et. al. [Page 2] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - The structure of the protocol is quite similar to that of typical RPC - protocols. Each transaction consists of a data structure specific to - an operation which is then wrapped in a data structure which is - general to all operations of the protocol. These data structures are - defined with the Abstract Syntax Notation 1 (ASN.1) [X680] and they - are encoded using the Distinguished Encoding Rules (DER) [X690]. - - All protocol data is wrapped KRB-PRIV messages, or, in some cases, a - KRB-ERROR, and framed in a header that is backwards compatible with - [RFC3244]. - -2.1 Transports - - The service supports only connection-oriented transports, - specifically TCP, and MUST accept requests on TCP port 464, the same - as in [RFC3244]. - -2.2 Protocol Framing - - Requests and responses are exchanged using the same framing as in - [RFC3244], but with the following differences: - - - the protocol number field MUST be set to 0x2 (not 0xff80 or 0x1) - - - the 'AP-REQ length' field of the request can be set to 0x0, in - which case the 'AP-REQ' field of the request is excluded - - - the 'KRB-PRIV' field of the request and reply is mutually - exclusive with the 'AP-REQ' field of the request - - - the 'AP-REP length' field of the reply can be set to 0x0, in - which case the 'AP-REP' field of the reply is excluded - - - all errors MUST be sent in a KRB-PRIV if the client's AP-REQ can - be or has been accepted by the server - - - any KRB-ERROR messages are framed and sent in the 'AP-REP' field - of the reply - - The initial message from the client MUST carry an AP-REQ and the - response to any request bearing an AP-REQ MUST carry an AP-REP or - MUST be a KRB-ERROR. - - Subsequent messages exchanged on the same TCP connection MAY involve - Kerberos V AP exchanges, but generally the client SHOULD NOT initiate - a new AP exchange except when it desires to authenticate as a - different principal, when the ticket last used for authentication - expires or when the server responds with an error indicating that the - client must re-authenticate. - -2.3 Protocol Version Negotiation - - There are several major versions of this protocol. Version 2 also - -N. Williams et. al. [Page 3] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - introduces a notion of protocol minor versions for use in negotiating - protocol extensions. As of this time only one minor version is - defined for major version 2: minor version 0, defined herein. - -2.3.1 Protocol Major Version Negotiation - - Version 2 clients that also support other versions, such as 0xff80, - as in [RFC3244], SHOULD attempt to use version 2 of the protocol - first. - - Servers which do not support version 2 of this protocol typically - include their preferred version number in the reply and/or may - include a reply in the e-data of a KRB-ERROR, or in a KRB-PRIV with a - status code of KRB5_KPASSWD_MALFORMED. - - Note that some [RFC3244] server implementations close the TCP - connection without returning any other response. Note also that - there is no integrity protection for the major version number in the - protocol framing or for any data in a KRB-ERROR. - - As a result change password protocol major version negotiation is - subject to downgrade attacks. Therefore major version negotiation is - NOT RECOMMENDED. - - Where the server indicates that it does not support version 2, the - client MAY, but SHOULD NOT, unless configured to do so, fall back on - another major version of this protocol. - - Version 2 servers MAY respond to non-v2 requests using whatever - response is appropriate for the versions used by the clients, but if - a server does not do this or know how to do this then it MUST respond - with an error framed as in section 2.2, using an AP-REP and KRB-PRIV - if the client's AP-REQ can be accepted, or a KRB-ERROR otherwise and - using a ProtocolErrorCode value of unsupported-major-version. - - It is expected that implementations of as yet unspecified future - major versions of this protocol will be required to support version 2 - integrity protected error replies for properly indicating no support - for version 2 of the protocl. We also hope that no further major - versions of this protocol will be needed. - -2.3.2 Protocol Minor Version Negotiation - - Version 2 clients are free to use whatever protocol minor version and - message extensions are available to them in their initial messages to - version 2 servers, provided that the minor versions (other than 0) - have been defined through IETF documents. - - Version 2 servers MUST answer with the highest protocol minor version - number supported by the server and the client. - - Version 2 clients MUST use the protocol minor version used in a - server's reply for any subsequent messages in the same TCP session. - -N. Williams et. al. [Page 4] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - - See section 2.7 for further description of the protocol's - extensibility and its relation to protocol minor versions and the - negotiation thereof. - -2.4 Use of Kerberos V and Key Exchange - - This protocol makes use of messages defined in [RFC1510] and - [clarifications]. Specifically, AP-REQ, AP-REP, KRB-ERROR and - KRB-PRIV. - - All operations are to be performed by the server on behalf of the - client principal. - - Clients SHOULD use "kadmin/setpw" as the principal name of the server - for all requests except when changing the client principal's own - expired password, for which they should use "kadmin/changepw". The - "kadmin/changepw" service exists to allow KDCs to limit principals - with expired passwords to getting initial tickets to the password - changing service only and only for changing expired passwords. - - Servers MUST limit clients that used the "kadmin/changepw" service - principal name to changing the password of the client principal. - - The client MUST request mutual authentication and the client MUST - MUST request the use of sequence numbers. - - Clients SHOULD use INITIAL tickets for requests whose target - principal is the client's principal. Servers SHOULD force the use of - INITIAL tickets for such requests and MAY force the use of INITIAL - for all others - see section 3.2. - - Servers MUST specify a sub-session key. - - The encrypted part of KRB-PRIVs MUST be encrypted with the server's - sub-session key and key usage 20 (client->server) or 21 - (server->client). - - After each new AP exchange the client and server MUST destroy the - session keys, if any, resulting from the previous AP exchange. - -2.5 Use of ASN.1 - - This protocol's messages are defined in ASN.1, using only features - from [X680]. All ASN.1 types defined herein are to be encoded in - DER [X690]. A complete ASN.1 module is given in section 4. - - The DER encoding of the ASN.1 PDUs are exchanged wrapped in a - KRB-PRIV as described above and/or as e-data in KRB-ERROR messages. - -2.6 Internationalization - - This protocol's request PDU carries an optional field indicating the - -N. Williams et. al. [Page 5] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - languages spoken by the client user; the client SHOULD send its list - of spoken languages to the server (once per-TCP session). - - The server SHOULD localize all strings intended for display to users - to a language in common with the languages spoken by the client user. - - Strings for Kerberos principal and realm names used in this protocol - are be constrained as per [clarifications]. - -2.6.1 Normalization Forms for UTF-8 Strings - - Because Kerberos V [clarifications] restricts principal names, realm - names and passwords to IA5String, this protocol uses UTF8String with - an extensible constraint to IA5String. - - Future versions of Kerberos may relax this constraint; if so then a - minor version of this protocol should relax this constraint - accordingly. - -2.6.2 Language Negotiation - - The server MUST pick a language from the client's input list or - the default language tag (see [RFC3066]) for text in its responses - which is meant for the user to read. - - The server SHOULD use a language selection algorithm such that - consideration is first given to exact matches between the client's - spoken languages and the server's available locales, followed by - "fuzzy" matches where only the first sub-tags of the client's - language tag list are used for matching against the servers available - locales. - - Servers MUST cache the optional language tag lists from prior - requests for use with subsequent requests that exclude the language - tag list. Clients MAY expect such server behaviour and send the - language tag lists only once per-TCP session. Clients SHOULD send - the server the language tag list at least once. - - When the server has a message catalog for one of the client's spoken - languages the server SHOULD localize any text strings intended for - display to users. - -2.7 Protocol Extensibility - - The protocol is defined in ASN.1 and uses extensibility markers - throughout. As such, the module presented herein can be extended - within the framework of [X680]. - - Typed holes are not used in this protocol as it is very simple and - does not require the ability to deal with abstract data types defined - in different layers. For this reason, the only way to extend this - protocol is by extending the ASN.1 module within the framework of the - IETF; all future extensions to this protocol have to be defined in - -N. Williams et. al. [Page 6] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - IETF documents unless otherwise specified in a future IETF revision - of this protocol. - - A protocol minor version number is used to negotiate use of - extensions. See section 2.3.2 for the minor version negotiation. - - Servers SHOULD ignore unknown additions to the ASN.1 types, in - initial requests, where the syntax allows them, except for extensions - to the "Op-req" type, which MUST result in an error. - - Servers MUST respond with an error (ProtocolErrorCode value of - unsupported-minor-version) to clients that use operations unknown to - the server. - -2.8 Protocol Subsets - - The structure of the protocol is such that the ASN.1 syntaxes for the - various operations supported by the protocol are independent of the - each other. Client and server implementations MAY implement subsets - of the overall protocol by removing some alternatives to the Op-req, - Op-rep and Op-err CHOICEs from the ASN.1 module given in section 4. - - For example, it should be possible to have a password-change only - client that cannot set principal's keys - and vice versa. - -3 Protocol Elements - - The protocol as defined herein supports the following operations - relating to the management of Kerberos principal's passwords or keys: - - [NOTE: New since last version of this I-D.] - - get principal's current and preferred string-to-key parameters - - - change password (or enctypes and string-to-key parameters) - - set password (administrative) - - set new keys - - generate new keys - - get new, un-committed keys - - commit new keys - - get password policy name and/or description of principal - - list aliases of a principal - - list enctypes and version of Kerberos V supported by realm - - The operation for retrieving a list of aliases of a principal is - needed where KDCs implement aliasing of principal names and allows - clients to properly setup their key databases when principal aliasing - is in use. - - Operations such as creation or deletion of principals are outside the - scope of this document, and should be performed via other means, such - as through directories or other Kerberos administration protocols. - - The individual operations are described in section 3.2. - -N. Williams et. al. [Page 7] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - -3.1 PDUs - - The types "Request," "Response" and "Error-Response" are the ASN.1 - module's PDUs. - - The "Request" and "Response" PDUs are always to be sent wrapped in - KRB-PRIV messages, except for the "Error-Response" PDU which MUST be - sent as KRB-ERROR e-data (see section 2.4.1) when AP exchanges fail, - otherwise it MUST be sent wrapped in a KRB-PRIV. - - The ASN.1 syntax for the PDUs is given in section 4. - - Note that the first field of each PDU is the major version of the - protocol, defaulted to 2, meaning that it is never included in - version 2 exchanges. Similarly, the second field of each PDU is the - minor version, defaulted to 0. - - The request, responses and error PDUs consist of an outer structure - ("Request," "Response" and "Error-Response") containing fields common - to all requests, responses and errors, respectively, and an inner - structure for fields that are specific to each operation's - requests/responses. The inner structure is optional in the case of - the Error-Response PDU and need not be included when generic errors - occur for which there is a suitable ProtocolErrorCode. - - Specifically, the outer Request structure has a field for passing a - client user's spoken (read) languages to the server. It also has two - optional fields for identifying the requested operation's target - principal's name and realm (if not sent then the server MUST use the - client's principal name and realm as the target). A boolean field - for indicating whether or not the request should be dry-run is also - included; dry-runs can be used to test server policies, and servers - MUST NOT modify any principals when processing dry-run requests. - - The Response and Error PDUs' outer structures include a field - indicating the language that the server has chosen for localization - of text intended to be displayed to users; this field is defaulted to - "i-default". This language tag applies to all UTF8 strings in the - inner structure (Op-rep and Op-err) that are meant to be displayed to - users. - - The protocol error codes are: - - - proto-generic-error - - An operation-specific error ocurred, see the inner Op-error. - - - proto-format-error - - proto-unsupported-major-version - - proto-unsupported-minor-version - - proto-unsupported-operation - - -N. Williams et. al. [Page 8] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - - proto-wrong-service-principal - - Use kadmin/setpw for the server's principal name. - - - proto-re-authentication-required - - The server demands that the client re-authenticate through a new - AP exchange. - - - proto-initial-ticket-required - - Use of an INITIAL ticket is required for the requested - operation. - - - proto-client-and-target-realm-mismatch - - The server requires that the client's principal name and the - target principal of the operation share the same realm name. - - - proto-target-principal-unknown - - proto-authorization-failed - -3.2 Operations - - This section describes the semantics of each operation request and - response defined in the ASN.1 module in section 4. - -3.2.1 Null - - NAME - - null - Null or "ping" operation - - DESCRIPTION - - The null request is intended for use with TCP; its purpose is - similar to RPC null procedures and is akin to a "ping" operation. - - ERRORS - - None. - -3.2.2 Change Kerberos Password - - NAME - - change-pw - Change password operation - - SYNOPSIS - - Req-change-pw(old-pw, [languages], [new-pw], - [commit], [etypes]) -> - Rep-change-pw([info-text], [new-pw], [etypes]) | - -N. Williams et. al. [Page 9] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - Err-change-pw([help-text], error code, [error info]) - - DESCRIPTION - - Change a principal's password. - - The change password request has one required, three optional and - one defaulted arguments: "old-pw" (required), "languages," - "new-pw", "commit" (defaults to "TRUE") and "etypes", - corresponding to the target principal's old password, its - preferred languages, its new password, a boolean indicating - whether or not to make the new long-term key available for - immediate use, and the desired enctypes for the new long-term - keys. - - The server MUST validate the old password and MUST check the - quality of the new password, if sent, according the password - quality policy associated with the target principal. - - If the old and new passwords in the request are the same strings, - and the principal is not currently required to change its - password, then the server MAY permit the password change as way to - change a principal's enctypes and string-to-key parameters. This - feature provides a way to, for example, add enctypes to a - principals' password-derived long-term keys without forcing a - password change following an upgrade to the KDC that adds support - for new enctypes. - - A client MAY request that the server generate a new password by - excluding the new password from its request, in which case the - server MUST either generate a new password or respond with an - error indicating that it does not support this feature. - - Server-generated passwords MUST meet the target principal's - password quality policy. It is RECOMMENDED that server-generated - passwords be user-friendly, that is, memorable and that the target - principal's preferred languages be taken into account by the - password generation alogrithm used by the server. - - Uncommitted password changes are commited using the commit-keys - operation. - - RETURN - - Upon successful password changes the server responds with a - Rep-change-pw. The fields of Rep-change-pw are all optional and - include: - - - 'info-text' which the server can use to send a message to the - user such as "Your new password will expire in 90 days," for - example. - - - 'new-pw' which the server MUST include if the client - -N. Williams et. al. [Page 10] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - requested that the server generate a new password; generated - passwords MUST pass the target principal's password quality - policy. - - - 'etypes' which the server MAY include to indicate which types - of long-term keys it created for the target principal and - which the server MUST include if the client specified a set - of enctypes in its request. - - ERRORS - - The server may respond to change password requests with protocol - or operation errors. See section 3.1 for a description of - protocol error codes. - - All operation errors include an optional 'help-text' field by - which the server can describe the error in a human-readable, - localizaed string. - - Change password error codes include: - - - generic-error - - - old-pw-incorrect - - - wont-generate-new-pw - - The server will not generate a new password for this - principal or does not support password generation in general. - - - new-pw-rejected-generic - - The client's proposed new password failed the target - principal's password quality policy. - - The server MUST include a description of the password quality - policy or aspect of it that the client's proposed new - password failed to meet. - - The server MAY generate and send a new password that the - client can then use as a new password and which is guaranteed - to pass the target principal's current password quality - policy. - - The server MAY include a set of policy error code hints. - - - etype-not-supported - - The client requested an enctype that the KDC does not - support. - -3.2.3 Set Kerberos Password - - -N. Williams et. al. [Page 11] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - NAME - - set-pw - Set password operation - - SYNOPSIS - - Req-set-pw([languages], [new-pw], [commit], [etypes]) -> - Rep-set-pw([info-text], [new-pw], [etypes]) | - Err-set-pw([help-text], error code, [error info]) - - DESCRIPTION - - Administratively set a principal's password. - - The set password request has three optional and one defaulted - arguments: "languages", "new-pw," "commit" (defaulted to "TRUE") - and "etypes", corresponding to the target principal's preferred - languages, new password, a boolean indicating whether or not to - make the new long-term key available for immediate use, and the - desired enctypes for the new long-term keys. - - The server MUST check the quality of the new password, if sent, - according the password quality policy associated with the target - principal. - - The server SHOULD require that the client use the change-pw - operation instead of set-pw when the client principal and the - target principal are the same. - - A client MAY request that the server generate a new password by - excluding the new password from its request, in which case the - server MUST either generate a new password or respond with an - error indicating that it does not support this feature. - - Server-generated passwords MUST meet the target principal's - password quality policy. It is RECOMMENDED that server-generated - passwords be user-friendly, that is, memorable and that the target - principal's preferred languages be taken into account by the - password generation alogrithm used by the server. - - RETURN - - Upon successfully setting a password the server responds with a - Rep-set-pw. The fields of Rep-set-pw are all optional and - include: - - - 'info-text' which the server can use to send a message to the - user such as "Your new password will expire in 90 days," for - example. - - - 'new-pw' which the server MUST include if the client - requested that the server generate a new password; generated - passwords MUST pass the target principal's password quality - -N. Williams et. al. [Page 12] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - policy. - - - 'etypes' which the server MAY include to indicate which types - of long-term keys it created for the target principal and - which the server MUST include if the client specified a set - of enctypes in its request. - - ERRORS - - The server may respond to set password requests with protocol or - operation errors. See section XYZ for a description of protocol - error codes. - - All operation errors include an optional 'help-text' field by - which the server can describe the error in a human-readable, - localizaed string. - - Set password error codes include: - - - generic-error - - - use-change-pw - - The server demands that the client use the change-pw - operation for the target principal of the set-pw request. - - - wont-generate-new-pw - - The server will not generate a new password for this - principal or does not support password generation in general. - - - new-pw-rejected-generic - - The client's proposed new password failed the target - principal's password quality policy. - - The server MUST include a description of the password quality - policy or aspect of it that the client's proposed new - password failed to meet. - - The server MAY generate and send a new password that the - client can then use as a new password and which is guaranteed - to pass the target principal's current password quality - policy. - - The server MAY include a set of policy error code hints. - - - etype-not-supported - - The client requested an enctype that the KDC does not - support. - -3.2.4 Set Kerberos Keys - -N. Williams et. al. [Page 13] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - - NAME - - set-keys - - SYNOPSIS - - Req-set-keys(new-keys, commit?, [isupport]) -> - Rep-set-keys([info-text], kvno, aliases, [isupport]) - - DESCRIPTION - - The set-keys request consists of two required fields and one - optional field: "new-keys", "commit" (a boolean field - see below) - and "isupport", an optional field for indicating to the KDC what - Kerberos V features are supported by the target principal. - - When "commit" is true the KDC makes the new keys available for - issueing tickets encrypted in them immediately. Otherwise the - client MUST follow up with a commit-keys request to make the keys - available. This feature is useful for changing keys shared by - multiple hosts, in clustered services, for example, in an atomic - manner; see section 3.2.6 and 3.2.7. - - If a principal has keys are awaiting commitment when a new - set-keys request for that principal s made then the KDC MUST - overwrite the deferred keys. - - RETURN - - For successful set-keys operations the server returns: - - - Informational text, optional. - - - The new kvno for the target principal. - - - A list of aliases of the target principal known to the KDC - (optional). - - - The set of Kerberos V features supported by the KDC - (optional). - - ERRORS - - The server may respond with the following errors: - - - generic - - deferred-commit-no-support - - etype-no-support - -3.2.5 Generate Kerberos Keys - - NAME - -N. Williams et. al. [Page 14] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - - gen-keys - - SYNOPSIS - - Req-gen-keys(etypes, [entropy], commit?, [isupport]) -> - Rep-set-keys([info-text], key, kvno, aliases, [isupport]) - - DESCRIPTION - - The gen-keys is similar to the set-keys request (see section - 3.2.4) but differs in that the server generates keys of - client-requested enctypes, rather than the client providing - specific keys. - - The gen-keys request consists of two required fields and two - optional fields: "etypes" (the enctypes of the new keys), - "entropy", "commit" and "isupport" (see section 3.2.4). - - If a principal has keys are awaiting commitment when a new - set-keys request for that principal s made then the KDC MUST - overwrite the deferred keys. - - RETURN - - For successful set-keys operations the server returns: - - - Informational text, optional. - - - The new kvno for the target principal. - - - The new key (only one is needed). - - - A list of aliases of the target principal known to the KDC - (optional). - - - The set of Kerberos V features supported by the KDC - (optional). - - ERRORS - - The server may respond with the following errors: - - - generic - - deferred-commit-no-support - - etype-no-support - -3.2.6 Get New Keys - - NAME - - get-keys - - -N. Williams et. al. [Page 15] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - SYNOPSIS - - Req-get-keys(kvno) -> - Rep-get-keys([info-text], keys, aliases, [isupport]) | - Err-get-keys([help-text], error code, [error info]) - - DESCRIPTION - - This request allows a client to get the keys set or generated in a - previous set-keys or gen-keys request with deferred commitment.. - - RETURN - - If the target principal and kvno correspond to uncommitted keys - the server MUST respond with the actual keys that would be set by - a subsequent commit-keys request. Otherwise the server MUST - respond with an error (meaning that this operation cannot be used - to extract keys from the KDC that may be in use). - - ERRORS - - - generic - - kvno-committed - - no-such-kvno - -3.2.7 Commit New Keys - - NAME - - commit-keys - - SYNOPSIS - - Req-commit-keys(kvno) -> - Rep-commit-keys() | - Err-commit-keys([help-text], error code, [error info]) - - DESCRIPTION - - The commit-keys operation allows a client to bring a principal's - new keys into use at the KDC. - - Clients should make a commit-keys request corresponding to a - deferred commitment set-keys/gen-keys operation as soon as the - local key database for the target principal is updated. - - The target principal name and the kvno MUST match those from a - prior set-keys or gen-keys operation. - - Servers MAY expire delayed key commitments at will. Servers - SHOULD expire uncommitted new keys after a reasonable amount of - time (600 seconds is RECOMMENDED). - - -N. Williams et. al. [Page 16] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - Servers MUST respond to new set-keys requests for principals with - pending, uncommitted new keys by expiring the uncommitted new keys - and proceeding as if there had been no expired new keys. - - ERRORS - - - generic - - op-kvno-expired - - op-kvno-unknown - - new-keys-conflict (A set-keys or gen-keys request succeeded - subsequent to the request that matches this - {principal, kvno} tuple.) - -3.2.8 Get Password Quality Policy - - NAME - - get-pw-policy - - SYNOPSIS - - Req-get-pw-policy() -> - Rep-get-pw-policy([policy name], [policy description]) - - DESCRIPTION - - Returns a description of the target principal's associated - password quality policy, if any, as a list of localized - UTF8String values. - - Clients can use this operation in conjunction with the change-pw - operation to obtain text that can be displayed to the user before - the user actually enters a new password. - - It is common for sites to set policies with respect to password - quality. It is beyond the scope of this document to describe such - policies. Management of password quality policies' actual content - is also beyond the scope of this protocol. - - ERRORS - - No operation errors are defined. - - -3.2.9 Get Principal Aliases - - NAME - - get-print-aliases - - SYNOPSIS - - Req-get-princ-aliases() -> - -N. Williams et. al. [Page 17] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - Rep-get-princ-aliases(aliases) - - DESCRIPTION - - Returns a list of aliases of the target principal. - - ERRORS - - No operation-specific errors. - -3.2.10 Get Realm's Supported Kerberos V Version and Features - - NAME - - get-realm-krb5-support - - SYNOPSIS - - Req-get-realm-krb5-support() -> - Rep-get-realm-krb5-support(isupport) - - DESCRIPTION - - Returns set of Kerberos V features support by the target - principal's realm's KDCs. - - ERRORS - - No operation-specific errors. - -3.2.11 Retrieve Principal's S2K Params and Preferred Params - - NAME - - get-s2kparams - - SYNOPSIS - - Req-get-s2kparams() -> - Rep-get-s2kparams([princ-s2kparams], [preferred-s2kparams]) - - DESCRIPTION - - Returns the string2key parameters for the principal's current - password-derived long-term keys, if any, and the parameters that - the realm would prefer, if they differ from the former. - - This operation is intended for use with the change-pw() operation. - When surprised by a KDC's PA-ETYPE-INFO2 a client SHOULD check if - the principal's long-term secret keys' string2key parameters (and - enctype list) should be changed and, if so, change them. - - If the 'princ-s2kparams' return value is missing then the - -N. Williams et. al. [Page 18] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - principal does not have a password-derived long-term key. - - The 'preferred-s2kparams' MUST be excluded if the principal's - string2key parameters satisfy the realm's policy. - - ERRORS - - No operation-specific errors. - -3.3 Principal Aliases - - Applications that use Kerberos often have to derive acceptor - principal names from hostnames entered by users. Such hostnames may - be aliases, they may be fully qualified, partially qualified or not - qualified at all. Some implementations have resorted to deriving - principal names from such hostnames by utilizing the names services - to canonicalize the hostname first; such practices are not secure - unless the name service are secure, which often aren't. - - One method for securely deriving principal names from hostnames is to - alias principals at the KDC such that the KDC will issue tickets for - principal names which are aliases of others. It is helpful for - principals to know what are their aliases as known by the KDCs. - - Note that changing a principal's aliases is out of scope for this - protocol. - -3.4 Kerberos V Feature Negotiation - - Principals and realms' KDCs may need to know about additional - Kerberos V features and extensions that they each support. Several - operations (see above) provide a way for clients and servers to - exchange such infomration, in the form of lists of types supported - for the various typed holes used in Kerberos V. - -4 ASN.1 Module - - DEFINITIONS EXPLICIT TAGS ::= BEGIN - -- - -- Note: EXPLICIT tagging is in use by default throughout this - -- module. - - -- From [clarifications] with modifications - PrincipalName ::= SEQUENCE { - name-string [1] SEQUENCE OF UTF8String (IA5String, ...) - } - Realm ::= UTF8String (IA5String, ...) - Salt ::= UTF8String (IA5String, ...) - Password ::= UTF8String (IA5String, ...) - - -- NOTE WELL: Principal and realm names MUST be constrained by the - -- specification of the version of Kerberos V used by the - -- client. - -N. Williams et. al. [Page 19] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - -- - -- [Perhaps PrincipalName should be a SEQUENCE of an optional name - -- type and a UTF8String, for simplicity.] - - -- From [clarifications] - Int32 ::= INTEGER (-2147483648..2147483647) - UInt32 ::= INTEGER (0..4294967295) - - -- Based on [clarifications] - Etype ::= Int32 - Etype-Info-Entry ::= SEQUENCE { - etype [0] Etype, - salt [1] Salt OPTIONAL, - s2kparams [2] OCTET STRING OPTIONAL, - ... - } - Key ::= SEQUENCE { - enc-type [0] Etype, -- from Kerberos - key [1] OCTET STRING, - ... - } - - Language-Tag ::= UTF8String -- Constrained by [RFC3066] - - -- Empty, extensible SEQUENCEs are legal ASN.1 - Extensible-NULL ::= SEQUENCE { - ... - } - - -- Kerberos clients negotiate some parameters relating to their peers - -- indirectly through the KDC. Today this is true of ticket session - -- key enctypes, but in the future this indirect negotiation may also - -- occur with respect to the minor version of Kerberos V to be used - -- between clients and servers. Additionally, KDCs may need to know - -- what authorization-data types are supported by service principals, - -- both, for compatibility with legacy software and for optimization. - -- - -- Thesefore it is important for KDCs to know what features of - -- Kerberos V each service principal supports. - -- - -- In version 2.0 of this protocol the clients and servers may notify - -- each other of their support for: - -- - -- - enctypes - -- - authorization data types - -- - transited encoding data types - -- - -- All authorization-data types defined in [clarifications] are - -- assumed to be supported if the minor version is 1 and do not need - -- to be included in the ad-type list. - -- - -- Int32 is used for enctype and transited encoding data type - -- identifiers. - -N. Williams et. al. [Page 20] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - -- - -- An extensible CHOICE of Int32 is used for authorization data - -- types. - - KerberosV-TR-ID ::= Int32 - - KerberosV-AD-ID ::= CHOICE { - ad-int [0] Int32, - ... - } - - KerberosVSupportNego ::= SEQUENCE { - enc-types [0] SEQUENCE OF Etype, - ad-types [1] SEQUENCE OF KerberosV-AD-ID OPTIONAL, - -- authorization data types - tr-enc-types [2] SEQUENCE OF KerberosV-TR-ID OPTIONAL, - -- transited encoding types - ... - } - - Request ::= [APPLICATION 0] SEQUENCE { - pvno-minor [0] INTEGER DEFAULT 0, - languages [1] SEQUENCE OF Language-Tag OPTIONAL, - -- Should be defaulted to the SEQUENCE of "i-default" - targ-name [2] PrincipalName OPTIONAL, - targ-realm [3] Realm OPTIONAL, - -- If targ-name/realm are missing then the request - -- applies to the principal of the client - dry-run [4] BOOLEAN DEFAULT FALSE, - operation [5] Op-req, - ... - } - - Response ::= [APPLICATION 1] SEQUENCE { - pvno-minor [0] INTEGER DEFAULT 0, - language [1] Language-Tag DEFAULT "i-default", - result [2] Op-rep, - ... - } - - Error-Response ::= [APPLICATION 2] SEQUENCE { - pvno-minor [0] INTEGER DEFAULT 0, - language [1] Language-Tag DEFAULT "i-default", - error-code [2] ProtocolErrorCode, - help-text [3] UTF8String OPTIONAL, - op-error [4] Op-err OPTIONAL, - ... - } - - Op-req ::= CHOICE { - null [0] Req-null, - change-pw [1] Req-change-pw, - set-pw [2] Req-set-pw, - -N. Williams et. al. [Page 21] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - set-keys [3] Req-set-keys, - gen-keys [4] Req-gen-keys, - get-keys [5] Req-get-keys, - commit-keys [6] Req-commit-keys, - get-pw-policy [7] Req-get-pw-policy, - get-princ-aliases [8] Req-get-princ-aliases, - get-realm-krb5-support [9] Req-get-realm-krb5-support, - get-s2kparams [10] Req-get-s2kparams, - ... - } - - Op-rep ::= CHOICE { - null [0] Rep-null, - change-pw [1] Rep-change-pw, - set-pw [2] Rep-set-pw, - set-keys [3] Rep-set-keys, - gen-keys [4] Req-gen-keys, - get-keys [5] Req-get-keys, - commit-keys [6] Rep-commit-keys, - get-pw-policy [7] Rep-get-pw-policy, - get-princ-aliases [8] Rep-get-princ-aliases, - get-realm-krb5-support [9] Rep-get-realm-krb5-support, - get-s2kparams [10] Rep-get-s2kparams, - ... - } - - Op-err ::= CHOICE { - null [0] Err-null, - change-pw [1] Err-change-pw, - set-pw [2] Err-set-pw, - set-keys [3] Err-set-keys, - gen-keys [4] Err-gen-keys, - get-keys [5] Err-get-keys, - commit-keys [6] Err-commit-keys, - get-pw-policy [7] Err-get-pw-policy, - get-princ-aliases [8] Err-get-princ-aliases, - get-realm-krb5-support [9] Err-get-realm-krb5-support, - get-s2kparams [10] Err-get-s2kparams, - ... - } - - ProtocolErrorCode ::= ENUM { - proto-format-error, - proto-unsupported-major-version, - proto-unsupported-minor-version, - proto-unsupported-operation, -- Request CHOICE tag unknown - proto-generic-see-op-error, -- See Op-error - proto-wrong-service-principal, -- Use kadmin/setpw - proto-re-authentication-required, - proto-initial-ticket-required, - proto-client-and-target-realm-mismatch, - proto-target-principal-unknown, - proto-authorization-failed, - -N. Williams et. al. [Page 22] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - proto-dry-run-not-permitted, - ... - } - - -- These codes are hints for clients, primarily for when they are - -- used for changing the passwords of automated principals; error - -- replies carry password quality policy help text that is more - -- appropriate for clients to display to users. - PW-Quality-Codes ::= ENUM { - pwq-generic, - pwq-too-soon, - pwq-repeated, - pwq-too-short, - pwq-dictionary-words, - pwq-prohibited-codepoints, - pwq-need-more-char-classes, - ... - } - - -- - -- Requests and responses - -- - - -- NULL request, much like ONC RPC's NULL procedure - NOT extensible - Req-null ::= NULL - - Rep-null ::= NULL - - Err-null ::= NULL - - -- Change password - Req-change-pw ::= SEQUENCE { - old-pw [0] Password, - new-pw [1] Password OPTIONAL, - commit [2] BOOLEAN DEFAULT TRUE, - etypes [3] SEQUENCE (1..) OF Etype OPTIONAL, - ... - } - - Rep-change-pw ::= SEQUENCE { - info-text [0] UTF8String OPTIONAL, - new-pw [1] Password OPTIONAL, - -- generated by the server if present - -- (and requested by the client) - etypes [2] SEQUENCE (1..) OF Etype OPTIONAL, - ... - } - - Err-change-pw ::= SEQUENCE { - help-text [0] UTF8String OPTIONAL, - error [1] CHOICE { - op-generic-error [0] Extensible-NULL, - op-old-pw-incorrect [1] Extensible-NULL, - -N. Williams et. al. [Page 23] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - op-wont-generate-new-pw [2] Extensible-NULL, - op-new-pw-rejected-generic [3] SEQUENCE { - policy [1] SEQUENCE OF UTF8String, - suggested-pw [2] Password OPTIONAL, - policy-codes [3] SET OF PW-Quality-Codes - OPTIONAL, - ... - } - op-etype-not-supported [4] SEQUENCE { - supported-etypes [1] SEQUENCE OF Etype, - ... - }, - ... - }, - ... - } - - -- Set password - Req-set-pw ::= SEQUENCE { - languages [0] SEQUENCE OF Language-Tag OPTIONAL, - new-pw [1] Password OPTIONAL, - commit [2] BOOLEAN DEFAULT TRUE, - etypes [3] SEQUENCE (1..) OF Etype OPTIONAL, - ... - } - - Rep-set-pw ::= SEQUENCE { - info-text [0] UTF8String OPTIONAL, - new-pw [1] Password OPTIONAL, - -- generated by the server if present - -- (and requested by the client) - etypes [2] SEQUENCE (1..) OF Etype OPTIONAL, - ... - } - - Err-set-pw ::= Err-change-pw - - -- Set keys - Req-set-keys ::= SEQUENCE { - keys [0] SEQUENCE OF Key, - commit [1] BOOLEAN DEFAULT TRUE, - -- TRUE -> install keys now - -- - -- FALSE -> require set-keys-commit - -- before issuing tickets - -- encrypted with these keys. - -- - -- See commit-keys op - isupport [2] KerberosVSupportNego OPTIONAL, - -- For future Kerberos V extensions KDCs - -- may need to know what krb5 version is - -- supported by individual service - -- principals. This field provides a - -N. Williams et. al. [Page 24] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - -- way to tell the KDC what version of - -- Kerberos V the target principal - -- supports. - ... - } - - Rep-set-keys ::= SEQUENCE { - info-text [0] UTF8String OPTIONAL, - kvno [1] UInt32, - aliases [2] SEQUENCE OF SEQUENCE { - name [0] PrincipalName, - realm [1] Realm OPTIONAL, - ... - }, - isupport [3] KerberosVSupportNego OPTIONAL, - ... - -- Should there be ETYPE-INFO2 stuff here? - } - - Err-set-keys ::= SEQUENCE { - help-text [0] UTF8String OPTIONAL, -- Reason for rejection - error [1] CHOICE { - op-generic [0] Extensible-NULL, - op-deferred-commit-no-support [1] Extensible-NULL, - op-etype-no-support [2] SEQUENCE OF { - supported-etypes [1] SEQUENCE OF Etype, - ... - } - ... - } - } - - -- Generate keys - Req-gen-keys ::= SEQUENCE { - etypes [0] SEQUENCE (1..) OF Etype, - entropy [1] OCTET STRING OPTIONAL, - commit [2] BOOLEAN DEFAULT TRUE, - -- TRUE -> install keys now - -- - -- FALSE -> require set-keys-commit - -- before issuing tickets - -- encrypted with these keys. - -- - -- See commit-keys op - isupport [3] KerberosVSupportNego OPTIONAL, - -- For future Kerberos V extensions KDCs - -- may need to know what krb5 version is - -- supported by individual service - -- principals. This field provides a - -- way to tell the KDC what version of - -- Kerberos V the target principal - -- supports. - ... - -N. Williams et. al. [Page 25] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - } - - Rep-gen-keys ::= SEQUENCE { - info-text [0] UTF8String OPTIONAL, - kvno [1] UInt32, - key [2] Key, - aliases [3] SEQUENCE OF SEQUENCE { - name [0] PrincipalName, - realm [1] Realm OPTIONAL, - ... - }, - isupport [4] KerberosVSupportNego OPTIONAL, - ... - -- Should there be ETYPE-INFO2 stuff here? - } - - Err-gen-keys ::= Err-set-keys - - -- Get un-committed key request - Req-get-keys ::= SEQUENCE { - kvno [0] UInt32, - ... - } - - Rep-get-keys ::= SEQUENCE { - info-text [0] UTF8String OPTIONAL, - keys [1] SEQUENCE OF Key, - aliases [2] SEQUENCE OF SEQUENCE { - name [0] PrincipalName, - realm [1] Realm OPTIONAL, - ... - }, - isupport [3] KerberosVSupportNego OPTIONAL, - ... - -- Should there be ETYPE-INFO2 stuff here? - } - - Err-get-keys ::= SEQUENCE { - help-text [0] UTF8String OPTIONAL, -- Reason for rejection - error [1] CHOICE { - op-generic [0] Extensible-NULL, - op-kvno-committed [1] Extensible-NULL, - op-no-such-kvno [1] Extensible-NULL, - ... - } - } - - -- Commit a set keys request - Req-commit-keys ::= SEQUENCE { - kvno [0] UInt32, - ... - } - - -N. Williams et. al. [Page 26] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - Rep-commit-keys ::= Extensible-NULL - - Err-commit-keys ::= SEQUENCE { - help-text [0] UTF8String OPTIONAL, -- Reason for rejection - error [1] CHOICE { - op-generic [0] Extensible-NULL, - op-kvno-expired [1] Extensible-NULL, - -- The client took too long to respond. - op-kvno-unknown [2] Extensible-NULL, - -- The targ princ/kvno is invalid or unknown to the - -- server (perhaps it lost track of state) - op-new-keys-conflict [3] Extensible-NULL, - -- A new-keys/commit-keys request subsequent to the - -- new-keys that produced the kvno has completed - -- and incremented the principal's kvno - ... - } - ... - } - - -- Get password policy - Req-get-pw-policy ::= Extensible-NULL - - Rep-get-pw-policy ::= SEQUENCE { - policy-name [0] UTF8String OPTIONAL, - description [1] SEQUENCE OF UTF8String OPTIONAL, - ... - } - - Err-get-pw-policy ::= Extensible-NULL - - -- Get principal aliases - Req-get-princ-aliases ::= Extensible-NULL - - Rep-get-princ-aliases ::= SEQUENCE { - help-text [0] UTF8String OPTIONAL, - aliases [1] SEQUENCE OF SEQUENCE { - name [0] PrincipalName, - realm [1] Realm OPTIONAL, - ... - }, - ... - } - - Err-get-princ-aliases ::= Extensible-NULL - - -- Get list of enctypes supported by KDC for new keys - Req-get-realm-krb5-support ::= Extensible-NULL - - Rep-get-realm-krb5-support ::= SEQUENCE { - isupport [0] KerberosVSupportNego, - -- Version of Kerberos V supported by - -- the target realm. - -N. Williams et. al. [Page 27] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - ... - } - - Err-get-realm-krb5-support ::= Extensible-NULL - - -- Get s2kparams - Req-get-s2kparams ::= Extensible-NULL - - Rep-get-s2kparams ::= SEQUENCE { - help-text [0] UTF8String OPTIONAL, - s2kparams [1] SEQUENCE OF Etype-Info-Entry, - ... - } - - Err-get-s2kparams ::= Extensible-NULL - - END - - -6 IANA Considerations - - There are no IANA considerations for this document. - -7 Security Considerations - - Implementors and site administrators should note that the redundancy - of UTF-8 encodings of passwords varies by language. Password quality - policies SHOULD, therefore, take this into account when estimating - the amount of redundancy and entropy in a proposed new password. [?? - It's late at night - I think this is correct.] - - Kerberos set/change password/key protocol major version negotiation - cannot be done securely; a downgrade attack is possible against - clients that attempt to negotiate the protocol major version to use - with a server. It is not clear at this time that the attacker would - gain much from such a downgrade attack other than denial of service - (DoS) by forcing the client to use a protocol version which does not - support some feature needed by the client (Kerberos V in general is - subject to a variety of DoS attacks anyways [RFC1510]). Clients - SHOULD NOT negotiate support for legacy major versions of this - protocol unless configured otherwise. - - This protocol does not have Perfect Forward Security (PFS). As a - result, any passive network snooper watching password/key changing - operations who has stolen a principal's password or long-term keys - can find out what the new ones are. - - [More text needed?] - -8 Acknowledgements - - The authors would like to thank Bill GossmanMike Swift, John Brezak, - Ken Raeburn, Tom Yu, Martin Rex, Sam Hartman, Tony Andrea, Paul W. - -N. Williams et. al. [Page 28] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - Nelson, Marcus Watts, Love, Joel N. Weber II, Jeffrey Hutzelman and - other participants from the IETF Kerberos Working Group for their - assistance. - -9 References - -9.1 Normative References - - [RFC2026] - S. Bradner, RFC2026: "The Internet Standard Process - Revision - 3," October 1996, Obsoletes - RFC 1602, Status: Best Current - Practice. - - [RFC2119] - S. Bradner, RFC2119 (BCP14): "Key words for use in RFCs to - Indicate Requirement Levels," March 1997, Status: Best Current - Practice. - - [X680] - Abstract Syntax Notation One (ASN.1): Specification of Basic - Notation, ITU-T Recommendation X.680 (1997) | ISO/IEC - International Standard 8824-1:1998. - http://www.itu.int/ITU-T/studygroups/com17/languages/X680_0702.pdf - - [X690] - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished Encoding Rules - (DER), ITU-T Recommendation X.690 (1997)| ISO/IEC International - Standard 8825-1:1998. - http://www.itu.int/ITU-T/studygroups/com17/languages/X690_0702.pdf - - [clarifications] - RFC-Editor: To be replaced by RFC number for - draft-ietf-krb-wg-kerberos-clarifications. - - [RFC3066] - H. Alvestrand, RFC3066 (BCP47): "Tags for the Identification of - Languages," January 2001, Obsoletes RFC1766, Status: Best Current - Practice. - -9.2 Informative References - - [RFC3244] - M. Swift, J. Trostle, J. Brezak, RFC3244: "Microsoft Windows 2000 - Kerberos Change Password and Set Password Protocols," February - 2002, Status: Informational. - -10 Authors' Addresses - - Nicolas Williams - Sun Microsystems - 5300 Riata Trace Ct - Austin, TX 78727 - -N. Williams et. al. [Page 29] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - Email: nicolas.williams@sun.com - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - -11 Notes to the RFC Editor - - This document has two KRB WG drafts as normative references and - cannot progress until those drafts progress, but no other draft - depends on this one. - -12 Change History - - -01 -> -02 - - - Removed Bill Gossman, Mike Swift and John Brezak as authors. - - - Removed UDP as a transport for this protocol. - - - Replaced redundant copies of framing ASCII art with reference to - RFC3244. - - - Made all name/password strings UTF8String with an extensible - constraint to IA5String. - - - Added a method for doing dry runs of operations. This is helpful - in testing passwords against password quality policies. - - - Added an operation for retrieving a principal's current and - preferred string-to-key parameters, and a way to change them - without changing the principal's password. - - - Added password quality codes as hints for smart clients, but - these are optional and not to be used instead of messages to be - displayed to useds. - - - Added a 'commit' option to change-pw and set-pw (as requested by - Larry). - - - Removed "version" field of the Kerberos V feature negotiation - struture. - - - -N. Williams et. al. [Page 30] - -DRAFT Kerberos Set/Change Password v2 Expires January 2005 - - - -Intellectual Property Statement - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; nor does it represent that it has - made any independent effort to identify any such rights. Information - on the procedures with respect to rights in RFC documents can be - found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use of - such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at - ietf-ipr@ietf.org. - - -Disclaimer of Validity - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - -Copyright Statement - - Copyright (C) The Internet Society (2004). This document is subject - to the rights, licenses and restrictions contained in BCP 78, and - except as set forth therein, the authors retain all their rights. - -Acknowledgment - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - -N. Williams et. al. [Page 31] - |