mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
564 lines
20 KiB
Plaintext
564 lines
20 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group B. Greenblatt
|
||
Request for Comments: 2649 P. Richard
|
||
Category: Experimental August 1999
|
||
|
||
|
||
An LDAP Control and Schema for Holding Operation Signatures
|
||
|
||
Status of this Memo
|
||
|
||
This memo defines an Experimental Protocol for the Internet
|
||
community. It does not specify an Internet standard of any kind.
|
||
Discussion and suggestions for improvement are requested.
|
||
Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (1999). All Rights Reserved.
|
||
|
||
Abstract
|
||
|
||
In many environments clients require the ability to validiate the
|
||
source and integrity of information provided by the directory. This
|
||
document describes an LDAP message control which allows for the
|
||
retrieval of digitally signed information. This document defines an
|
||
LDAP v3 based mechanism for signing directory operations in order to
|
||
create a secure journal of changes that have been made to each
|
||
directory entry. Both client and server based signatures are
|
||
supported. An object class for subsequent retrieval are "journal
|
||
entries" is also defined. This document specifies LDAP v3 controls
|
||
that enable this functionality. It also defines an LDAP v3 schema
|
||
that allows for subsequent browsing of the journal information.
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||
1.1 Audit Trail Mechanism . . . . . . . . . . . . . . . . . . . 2
|
||
1.2. Handling the Delete Operation . . . . . . . . . . . . . . . 5
|
||
2. Signed Results Mechanism . . . . . . . . . . . . . . . . . . 6
|
||
3. Security Considerations and Other Notes . . . . . . . . . . 7
|
||
4. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||
5. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 9
|
||
6. Full Copyright Statement . . . . . . . . . . . . . . . . . . 10
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 1]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
1. Introduction
|
||
|
||
In many environments clients require the ability to validiate the
|
||
source and integrity of information provided by the directory. This
|
||
document describes an LDAP message control which allows for the
|
||
retrieval of digitally signed information. The perspective of this
|
||
document is that the origin of the information that is stored in LDAP
|
||
v3 accessible directories is the LDAP v3 client that creates the
|
||
information. The source and integrity of the information is
|
||
guaranteed by allowing for the digital signing of the operations that
|
||
make changes to entries in the directory. The source and integrity
|
||
of an individual LDAP connection can be guaranteed by making use of
|
||
an underlying session layer that provides such services, such as TLS.
|
||
Note that the integrity of an individual connection does not, in and
|
||
of itself guarantee the integrity of the data that comes across the
|
||
connection. This is due to the fact that the LDAP server is only
|
||
capable of providing information that it has stored. In distributed
|
||
and replicated environments, the fact that an entry has been
|
||
successfully retrieved from a server may not be completely
|
||
reassuring, if the entry in question was replicated from an untrusted
|
||
domain.
|
||
|
||
By making use of public key technology, and creating digitally signed
|
||
transactions that are created by the LDAP v3 client as entries are
|
||
created and modified, a complete journal of the history of the entry
|
||
is available. Since each entry in the journal has been digitally
|
||
signed with the private key of the creator, or modifier of the entry,
|
||
the source and integrity of the directory entry can be validated by
|
||
verifying the signature of each entry in the journal. Note that not
|
||
all of the journal entries will have been signed by the same user.
|
||
|
||
1.1. Audit Trail Mechanism
|
||
|
||
Signed directory operations is a straightforward application of
|
||
S/MIME technology that also leverages the extensible framework that
|
||
is provided by LDAP version 3. LDAP version 3 is defined in [4], and
|
||
S/MIME is defined in [2]. The security used in S/MIME is based in
|
||
the definitions in [1]. The basic idea is that the submitter of an
|
||
LDAP operation that changes the directory information includes an
|
||
LDAP version 3 control that includes either a signature of the
|
||
operation, or a request that the LDAP server sign the operation on
|
||
the behalf of the LDAP client. The result of the operation (in
|
||
addition to the change of the directory information), is additional
|
||
information that is attached to directory objects, that includes the
|
||
audit trail of signed operations. The LDAP control is (OID =
|
||
1.2.840.113549.6.0.0):
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 2]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
SignedOperation ::= CHOICE {
|
||
signbyServer NULL,
|
||
signatureIncluded OCTET STRING
|
||
}
|
||
|
||
If the SignatureIncluded CHOICE is used, then the OCTET string is
|
||
just an S/MIME message of the multipart/signed variety, that is
|
||
composed of a single piece, that is the signature of the directory
|
||
operation. Multipart/signed MIME objects are defined in [3]. If the
|
||
SignbyServer CHOICE us used, then the LDAP server creates the
|
||
signature on behalf of the client, using its own identity and not the
|
||
identity of the client, in order to produce the audit trail entry.
|
||
In either case the successful result of processing the control is the
|
||
creation of additional information in the directory entry that is
|
||
being modified or created. The signature of the LDAP operation is
|
||
computed on the LDAPMessage prior to the inclusion of the
|
||
SignedOperation control. The procedure is as follows:
|
||
|
||
- Build LDAPMessage without the SignedOperation control
|
||
- Compute signature on the above LDAPMessage
|
||
- Create new LDAPMessage that includes the old MessageID,
|
||
protocolOp and any control fields from the previous LDAPMessage,
|
||
plus the computed signature formatted as an S/MIME message.
|
||
|
||
No control is defined for the server to return in the LDAPResult as
|
||
defined in [4]. The LDAP server MAY attempt to parse and verify the
|
||
signature included in the SignedOperation control, but is not
|
||
required to. The server can accept the signed operation without
|
||
verifying the signature. Signature verification can be quite a
|
||
lengthy operation, requiring complex certificate chain traversals.
|
||
This allows a more timely creation of the audit trail by the server.
|
||
Any LDAP client browsing the directory that retrieves the 'Changes'
|
||
(defined in the following paragraphs) attributes, should verify the
|
||
signature of each value according to the local signature verification
|
||
policies. Even if the LDAP server verifies the signature contained
|
||
in the singed operation, the LDAP client has no way of knowing what
|
||
policies were followed by the server in order to verify the
|
||
signature.
|
||
|
||
If the LDAP server is unable to verify the signature and wishes to
|
||
return an error then the error code unwillingToPerform(53) should be
|
||
returned, and the entire LDAP operation fails. In this situation, an
|
||
appropriate message (e.g. "Unable to verify signature") MAY be
|
||
included in the errorMessage of the LDAPResult. The SignedOperation
|
||
Control MAY be marked CRITICAL, and if it is CRITICAL then if the
|
||
LDAP Server performs the LDAP operation, then must include the
|
||
signature in the signedAuditTrail information.
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 3]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
The schema definition for the signedAuditTrail information is:
|
||
|
||
( 1.2.840.113549.6.1.0
|
||
NAME 'signedAuditTrail'
|
||
SUP top
|
||
AUXILIARY
|
||
MUST (
|
||
Changes
|
||
)
|
||
)
|
||
|
||
The format of the Changes attribute is:
|
||
|
||
( 1.2.840.113549.6.2.0
|
||
NAME 'Changes'
|
||
DESC 'a set of changes applied to an entry'
|
||
SYNTAX 'Binary' )
|
||
|
||
The actual format of the Changes attribute is:
|
||
|
||
Changes ::= SEQUENCE {
|
||
sequenceNumber [0] INTEGER (0 .. maxInt),
|
||
signedOperation [1] OCTET STRING }
|
||
|
||
The SignedOperation attribute is a multipart/signed S/MIME message.
|
||
Part 1 of the message is the directory operation, and part 2 is the
|
||
signature. Sequence number 0 (if present) always indicates the
|
||
starting point directory object as represented by the definitions in
|
||
"A MIME Content-Type for Directory Information", as defined in [5].
|
||
Subsequent sequence numbers indicate the sequence of changes that
|
||
have been made to this directory object. Note that the sequence of
|
||
the changes can be verified due to the fact that the signed directory
|
||
object will have a timestamp as part of the signature object, and
|
||
that the sequence numbering as part of the change attribute should be
|
||
considered to be an unverified aid to the LDAP client. Sequence
|
||
numbers are meaningful only within the context of a single directory
|
||
entry, and LDAP servers are not expected to maintain these sequence
|
||
numbers across all entries in the directory.
|
||
|
||
Some LDAP servers will only allow operations that include the
|
||
SignedOperation control. This is indicated by the inclusion of a
|
||
'signedDirectoryOperationSupport' attribute in the rootDSE. This
|
||
attribute is defined as:
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 4]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
1.2.840.113549.6.2.2
|
||
NAME 'signedDirectoryOperationSupport'
|
||
DESC 'how many of the LDAP operations must be signed'
|
||
SYNTAX 'Integer' SINGLE-VALUE )
|
||
|
||
The 'signedDirectoryOperationSupport' attribute above may have one of
|
||
the values, '0', '1' or '2' with the following meanings:
|
||
|
||
- '0' Directory Operations may be signed
|
||
- '1' Directory Operations must always be signed
|
||
- '2' Directory Operations must never be signed
|
||
|
||
Some LDAP servers will desire that the audit trail be continuous, and
|
||
not contain any gaps that would result from unsigned operations.
|
||
Such server will include a signature on each LDAP operation that
|
||
changes a directory entry, even when the LDAP client does not include
|
||
a signed-Operation control.
|
||
|
||
1.2. Handling the Delete Operation
|
||
|
||
The LDAP Delete operation represents an interesting case for Signed
|
||
Directory Operations. This is due to the case that subsequent to the
|
||
successful completion of the Delete Operation, the object that would
|
||
have held the latest 'Changes' attribute no longer exists. In order
|
||
to handle this situation, a new object class is defined to represent
|
||
a directory object that has been deleted.
|
||
|
||
( 1.2.840.113549.6.1.2
|
||
NAME 'zombieObject'
|
||
SUP top
|
||
STRUCTURAL
|
||
MUST (
|
||
Cn $ Changes $ OriginalObject
|
||
)
|
||
)
|
||
|
||
The format of the OriginalObject attribute is:
|
||
|
||
( 1.2.840.113549.6.2.1
|
||
NAME OriginalObject
|
||
DESC 'The LDAP URL of an object that has been deleted from the
|
||
directory' SYNTAX 'Binary' )
|
||
|
||
The OriginalObject attribute contains the URL of the object that was
|
||
deleted from the directory. It is formatted in accordance with RFC
|
||
2255. Directory servers that comply with this specification SHOULD
|
||
create a zombieObject when performing the delete Operation that
|
||
contains a SignedOperation LDAPControl. The Cn attribute of the
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 5]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
zombieObject is synthesized by the LDAP server, and may or may not be
|
||
related to the original name of the directory entry that was deleted.
|
||
All changes attributes that were attached to the original entry are
|
||
copied over to the zombieObject. In addition the LDAP Server MUST
|
||
attach the signature of the Delete operation as the last successful
|
||
change that was made to the entry.
|
||
|
||
2. Signed Results Mechanism
|
||
|
||
A control is also defined that allows the LDAP v3 client to request
|
||
that the server sign the results that it returns. It is intended
|
||
that this control is primarily used in concert with the LDAPSearch
|
||
operation. This control MAY be marked as CRITICAL. If it is marked
|
||
as CRITICAL and the LDAP Server supports this operation, then all
|
||
search results MUST be returned with a signature as attached in the
|
||
SignedResult control if it is willing to sign results for this user.
|
||
If the server supports this control but does not wish to sign the
|
||
results for this user then the error code unwillingToPerform(53)
|
||
should be returned, and the LDAP search will have failed. In this
|
||
situation, an appropriate message (e.g. "Unwilling to sign results
|
||
for you!") MUST be included in the errorMessage of the LDAPResult.
|
||
If the LDAPSigType has the value FALSE then the client is requesting
|
||
that the server not sign this operation. This may be done in
|
||
situations where servers are configured to always sign their
|
||
operations.
|
||
|
||
The LDAP control to include in the LDAP request is (OID =
|
||
1.2.840.113549.6.0.1):
|
||
|
||
DemandSignedResult ::= LDAPSigType
|
||
|
||
LDAPSigType ::= BOOLEAN
|
||
|
||
In response to a DemandSignedResult control, the LDAP v3 server will
|
||
return a SignedResult control in addition to the normal result as
|
||
defined by the operation (assuming that the server understands the
|
||
con- trol, and is willing to perform it). The SignedResult control
|
||
MUST NOT be marked CRITICAL. Some LDAP v3 servers may be configured
|
||
to sign all of their operations. In this situation the server always
|
||
returns a SignedResult control, unless instructed otherwise by the
|
||
DemandSigne-dResult Control. Since the SignedResult control is not
|
||
marked critical, the LDAP client is allowed to ignore it. The
|
||
signature field below includes the signature of the enitre LDAPResult
|
||
formatted as an S/MIME pkcs-7/signature object, as defined in [2].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 6]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
The procedure for creating the signature of the signedResult control
|
||
is the same as the procedure for the creation of the signedOperation
|
||
control. The LDAP control in the LDAP response is (OID =
|
||
1.2.840.113549.6.0.2):
|
||
|
||
SignedResult ::= CHOICE {
|
||
signature OCTET STRING }
|
||
|
||
3. Security Considerations and Other Notes
|
||
|
||
The base OIDs are:
|
||
|
||
rsadsiLdap ::= {1 2 840 113549 6}
|
||
rsadsiLdapControls ::= {1 2 840 113549 6 0}
|
||
rsadsiLdapObjectClasses ::= {1 2 840 113549 6 1}
|
||
rsadsiLdapAttributes ::= {1 2 840 113549 6 2}
|
||
|
||
|
||
The complete ASN.1 module for this specification is:
|
||
|
||
SIGNEDOPERATIONS DEFINITIONS ::=
|
||
BEGIN
|
||
|
||
SignedOperation ::= CHOICE {
|
||
signbyServer NULL,
|
||
signatureIncluded OCTET STRING
|
||
}
|
||
|
||
Changes ::= SEQUENCE {
|
||
sequenceNumber [0] INTEGER (0 .. maxInt),
|
||
signedOperation [1] OCTET STRING }
|
||
|
||
DemandSignedResult ::= LDAPSigType
|
||
|
||
LDAPSigType ::= BOOLEAN
|
||
|
||
SignedResult ::= CHOICE {
|
||
signature OCTET STRING }
|
||
|
||
|
||
END
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 7]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
If any of the controls in this specification are supported by an LDAP
|
||
v3 server then that server MUST make available its certificate (if
|
||
any) in the userCertificate attribute of its rootDSE object. The
|
||
UserCertificate attribute is defined in [6], and contains the public
|
||
key of the server that is used in the creation of the various
|
||
signatures defined in this specification.
|
||
|
||
It is not the intention of this specification to provide a mechanism
|
||
that guarantees the origin and integrity of LDAP v3 operations. Such
|
||
a service is best provided by the use of an underlying protocol such
|
||
as TLS [8]. TLS defines additional features such as encryption and
|
||
compression. This specification does not define support for
|
||
encrypted operations.
|
||
|
||
This memo proposes protocol elements for transmission and storage of
|
||
the digital signatures of LDAP operations. Though the LDAP server
|
||
may have verified the operation signatures prior to their storage and
|
||
subsequent retrieval, it is prudent for LDAP clients to verify the
|
||
signatures contained in the chained attribute upon their retrieval.
|
||
The issuing Certification Authorities of the signer's certificate
|
||
should also be consulted in order to determine if the signer's
|
||
private key has been compromised or the certificate has been
|
||
otherwise revoked. Security considerations are discussed throughout
|
||
this memo.
|
||
|
||
4. References
|
||
|
||
[1] Kaliski, B., "PKCS 7: Cryptographic Message Syntax Version 1-5",
|
||
RFC 2315, March 1998.
|
||
|
||
[2] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L. and L.
|
||
Repka., "S/MIME Version 2 Message Specification", RFC 2311, March
|
||
1998.
|
||
|
||
[3] Galvin, J., Murphy, S., Crocker, S. and N. Freed, "Security
|
||
Multiparts for MIME: Multipart/Signed and Multipart/Encrypted",
|
||
RFC 1847, October 1995.
|
||
|
||
[4] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access
|
||
Protocol (v3)", RFC 2251, December 1997.
|
||
|
||
[5] Howes, T., Smith, M. and F. Dawson, "A MIME Content-Type for
|
||
Directory Information", RFC 2425, September 1998.
|
||
|
||
[6] Wahl, M., "A Summary of the X.500(96) User Schema for use with
|
||
LDAPv3", RFC 2256, December 1997.
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 8]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
[7] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255, December
|
||
1997.
|
||
|
||
[8] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
|
||
2246, January 1999.
|
||
|
||
5. Authors' Addresses
|
||
|
||
Bruce Greenblatt
|
||
San Jose, CA 95119
|
||
USA
|
||
|
||
Phone: +1-408-224-5349
|
||
EMail: bgreenblatt@directory-applications.com
|
||
|
||
|
||
Pat Richard
|
||
Xcert Software, Inc.
|
||
Suite 1001 - 701 W. Georgia
|
||
Vancouver, BC
|
||
CANADA V6G 1C9
|
||
|
||
EMail: patr@xcert.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 9]
|
||
|
||
RFC 2649 LDAP Control and Schema August 1999
|
||
|
||
|
||
6. Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (1999). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Greenblatt & Richard Experimental [Page 10]
|
||
|