From: http://www.ietf.org/id/draft-hoyer-valid-01.txt Title: VALID Reference: IETF Network Working Group, Internet Draft 'draft-hoyer-valid-01' Date: January 27, 2010 I-D Tracker: http://ietfreport.isoc.org/idref/draft-hoyer-valid/ Tools: http://tools.ietf.org/html/draft-hoyer-valid-01 (HTML) Diff with version -00: http://tools.ietf.org/rfcdiff?url2=draft-hoyer-valid-01.txt Announced: http://www.ietf.org/mail-archive/web/i-d-announce/current/msg29180.html ============================================================================== Network Working Group P. Hoyer Internet-Draft ActivIdentity Intended status: Standards Track T. Moses Expires: July 31, 2010 Entrust M. Pei VeriSign S. Machani Diversinet January 27, 2010 VALID draft-hoyer-valid-01 Abstract This document describes a Web-service interface standard for an authentication-data validation service that supports risk-based, multi-factor authentication.This standard enables enterprises to deploy best-of-breed solutions combining components from different vendors into the same infrastructure. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on July 31, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the Hoyer, et al. Expires July 31, 2010 [Page 1] Internet-Draft VALID January 2010 document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Namespaces . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2. Authentication-Data Validation Service Interface overview . . 7 2.1. Authentication data communication . . . . . . . . . . . . 7 2.2. Verified attributes . . . . . . . . . . . . . . . . . . . 7 2.3. Challenge/response . . . . . . . . . . . . . . . . . . . . 7 2.4. Token collections . . . . . . . . . . . . . . . . . . . . 8 3. Communication patterns . . . . . . . . . . . . . . . . . . . . 9 3.1. In-band authentication . . . . . . . . . . . . . . . . . . 9 3.1.1. In-band Challenge/Response . . . . . . . . . . . . . . 9 3.1.2. In-band 2 way Challenge/Response . . . . . . . . . . . 10 3.2. Out-of-band challenge . . . . . . . . . . . . . . . . . . 11 3.3. Out-of-band response . . . . . . . . . . . . . . . . . . . 12 3.4. Client supplies challenge . . . . . . . . . . . . . . . . 13 3.5. End-user obtains assertions Out-of-band from server . . . 13 4. Asynchronous communication . . . . . . . . . . . . . . . . . . 15 4.1. Out-of-band challenge . . . . . . . . . . . . . . . . . . 15 4.2. Out-of-band response . . . . . . . . . . . . . . . . . . . 15 5. User centric and device centric (pseudonymous) authentication models . . . . . . . . . . . . . . . . . . . . 16 5.1. User Centric authentication model . . . . . . . . . . . . 16 5.2. Device Centric authentication model . . . . . . . . . . . 16 6. Authentication moving factor resync . . . . . . . . . . . . . 17 6.1. Automatic re-sync based on authentication data . . . . . . 17 6.2. Manual re-sync based on presenting moving factor values . 17 7. Policy models . . . . . . . . . . . . . . . . . . . . . . . . 18 8. Common message contents . . . . . . . . . . . . . . . . . . . 20 8.1. Request Security Token . . . . . . . . . . . . . . . . . . 20 8.2. Request Security Token Response . . . . . . . . . . . . . 21 9. Mechanism-specific message contents . . . . . . . . . . . . . 23 Hoyer, et al. Expires July 31, 2010 [Page 2] Internet-Draft VALID January 2010 10. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 24 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 11.1. XML namespace registration . . . . . . . . . . . . . . . . 25 11.2. VALID Version Registry . . . . . . . . . . . . . . . . . . 25 12. Security Considerations . . . . . . . . . . . . . . . . . . . 26 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 14.1. Normative References . . . . . . . . . . . . . . . . . . . 28 14.2. Informative References . . . . . . . . . . . . . . . . . . 29 Appendix A. WSDL . . . . . . . . . . . . . . . . . . . . . . . . 30 Appendix B. Mechanism specific message contents . . . . . . . . . 32 B.1. Username/password . . . . . . . . . . . . . . . . . . . . 32 B.2. In band one-time-password (OTP) . . . . . . . . . . . . . 33 B.3. In band one-time-password (OTP) token synchronization . . 35 B.4. In band challenge/response . . . . . . . . . . . . . . . . 37 B.5. Out-of-band challenge . . . . . . . . . . . . . . . . . . 39 B.6. Out-of-band response . . . . . . . . . . . . . . . . . . . 40 B.7. Client supplies challenge . . . . . . . . . . . . . . . . 42 B.8. Challenge/response with signature . . . . . . . . . . . . 43 Appendix C. Use Cases . . . . . . . . . . . . . . . . . . . . . . 45 C.1. Validation . . . . . . . . . . . . . . . . . . . . . . . . 45 C.1.1. OTP Validation . . . . . . . . . . . . . . . . . . . . 45 C.1.2. Challenge/Response Validation - Server generated challenge . . . . . . . . . . . . . . . . . . . . . . 45 C.1.3. Challenge/Response Validation - User generated challenge . . . . . . . . . . . . . . . . . . . . . . 46 C.1.4. 2-way mutual Challenge/Response Validation . . . . . . 46 C.1.5. OTP Validation + Server managed PIN . . . . . . . . . 46 C.1.6. MatrixCardValidation - Server generated challenge . . 46 C.2. Synchronisation Use Cases . . . . . . . . . . . . . . . . 46 C.2.1. OTP Token Resync with the Next OTPs . . . . . . . . . 47 C.2.2. OTP Token Resync with Moving Factor . . . . . . . . . 47 Appendix D. Requirements . . . . . . . . . . . . . . . . . . . . 48 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 49 Hoyer, et al. Expires July 31, 2010 [Page 3] Internet-Draft VALID January 2010 1. Introduction The Authentication-Data Validation Service Interface definition (VALID) describes a Web-service interface for a validation server. The specification reuses data definitions from [SAML], [WS-Security] and [WS-Trust] and operates over version 1.2 of [SOAP]. Upon successful validation, the validation server returns a SAML assertion containing verified attributes of the authenticated end-user or a hardware or software device under the end-user's control. Communications between the end-user and the application are not required to follow the Web-services programming model. 1.1. Key Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. Notation This specification uses the following syntax to define outlines for messages: The syntax appears as an XML instance. Characters are appended to elements and attributes to indicate cardinality: "?" (0 or 1) "*" (0 or more) "+" (1 or more) The character "|" is used to indicate a choice between alternatives. The characters "(" and ")" are used to indicate that contained items are to be treated as a group with respect to cardinality or choice. The characters "[" and "]" are used to call out references and property names. Additional child elements and/or attributes MAY be added at the indicated extension points (see Section 10) but MUST NOT contradict the semantics of the parent and/or owner, respectively. By default, if a receiver does not recognize an extension, the Hoyer, et al. Expires July 31, 2010 [Page 4] Internet-Draft VALID January 2010 receiver SHOULD ignore the extension; exceptions to this processing rule, if any, are clearly indicated below. XML namespace prefixes (see Table 1) are used to indicate the namespace of the element being defined. Elements and Attributes defined by this specification are referred to in the text of this document using XPath 1.0 expressions. Extensibility points are referred to using an extended version of this syntax: An element extensibility point is referred to using {any} in place of the element name. This indicates that any element name can be used, from any namespace other than the namespace of this specification. An attribute extensibility point is referred to using @{any} in place of the attribute name. This indicates that any attribute name can be used, from any namespace other than the namespace of this specification 1.3. Namespaces The following XML namespace prefixes are used in the specification. env: http://www.w3.org/2003/05/soap-envelope pskc: urn:ietf:params:xml:ns:keyprov:pskc saml: urn:oasis:names:tc:SAML:2.0:assertion valid: urn:ietf:params:xml:ns:valid wsp: http://www.w3.org/ns/ws-policy wss: http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-secext-1.0 wst: http://docs.oasis-open.org/ws-sx/ws-trust/200512 wst14: http://docs.oasis-open.org/ws-sx/ws-trust/200802 xsd: http://www.w3.org/2001/XMLSchema 1.4. Terminology The following terms are used in this document. Application: The system component that controls access to sensitive resources by authenticated end-users. Hoyer, et al. Expires July 31, 2010 [Page 5] Internet-Draft VALID January 2010 Authentication data: Information exchanged between the end-user and the validation server as part of the authentication process. For example a password, an OTP, the response to a challenge, etc. Authentication policy: The combination of authentication mechanisms required to complete successfully before access may be granted. Client : See "Application". End-user: The authentication subject. Moving factor: The factor that makes a one time password computationally unique in combination with a fixed key. For example the increasing event counter value in [HOTP]. Server: See "Validation server". Validation server: The system component that validates authentication data. Hoyer, et al. Expires July 31, 2010 [Page 6] Internet-Draft VALID January 2010 2. Authentication-Data Validation Service Interface overview The Authentication-Data Validation Service Interface allows communication of the following data elements in several different communication patterns as described in Section 3. The interface is based mainly on [WS-Trust]. The following sections apply terminologies and concepts defined in [WS-Trust]. 2.1. Authentication data communication The specific requirements for authentication data communication depend upon the specific authentication mechanism. In-band authentication data SHALL be passed in the body of and elements. 2.2. Verified attributes Upon successful validation of the authentication data, the validation server SHALL issue a SAML assertion containing verified end-user or token attributes, depending if the server is validating user identities (user centric authentication) or device/token (pseudonomous - token centric authentication) . The client MAY provide a element indicating which attributes it requires. Required attributes SHALL be referenced using the element, with the child element omitted. The validation server MAY include the sub-set of the requested attributes whose verified values are known to it. Otherwise, the validation server SHALL include all verified attributes whose values are known to it. These attributes MUST be included in the SAML assertion. They MUST also be included in a separate element. In this way, the application may treat the assertion as opaque data, extracting any attributes it requires from the element. Attributes SHALL be expressed as elements in accordance with the SAML V2.0 X.500/LDAP Attribute Profile. 2.3. Challenge/response Multi-step authentication mechanisms are supported as shown here. Hoyer, et al. Expires July 31, 2010 [Page 7] Internet-Draft VALID January 2010 Message Direction Cardinality Request Client -> Server Exactly one Response Client <-> Server (Zero or more request-response pairs) Response Client <- Server Exactly one The protocol terminates when the validation server either includes at least one security token according to [WS-Trust] in the response or returns an element. 2.4. Token collections A set of tokens MAY be requested and issued in a single set of exchanges with the validation server using the "token collection" features of WS-Trust. Hoyer, et al. Expires July 31, 2010 [Page 8] Internet-Draft VALID January 2010 3. Communication patterns The folllowing communication patterns are supported: 3.1. In-band authentication __________ _____________ | | | | | End-user |------------------------->| Application | |__________| 1. Access application |_____________| | \ | | 2. Obtain assertion | > VALID | | _____\|/____ / | | | Validation | | server | |____________| In-band authentication The end-user accesses the application (1). The application supplies the authentication data to the validation server and receives an assertion in return (2). For in-band challenge/response authentication mechanisms, additional messages between the end-user and the validation server MUST be relayed by the application. 3.1.1. In-band Challenge/Response Hoyer, et al. Expires July 31, 2010 [Page 9] Internet-Draft VALID January 2010 __________ _____________ | | | | | End-user |------------------------->| Application | |__________| 1. Access application |_____________| 4. In-band challenge /|\ \ 5. In-band response | | 2. Request assertion | > VALID 3. return challenge | | 6. obtain assertion | | _____\|/____ / | | | Validation | | server | |____________| Figure 1: In-band Challenge/Response The "in-band challenge/response" pattern is shown in Figure 1. The application invokes the validation server (2). The validation server returns a challenge (3). The application passes the challenge to the end-user (4). The end-user may or may not transform the challenge and sends the result to the validation server in-band (5). The application supplies the authentication data to the validation server and receives an assertion in return (6). 3.1.2. In-band 2 way Challenge/Response __________ _____________ | | | | | End-user |------------------------------>| Application | |__________| 1. In-band client challenge |_____________| 4. In-band server resp & challenge /|\ \ 5. In-band client response | | 2. Request assertion | > VALID 3. return server resp & | | server challenge | | 6. obtain assertion | | _____\|/____ / | | | Validation | | server | |____________| Figure 2: In-band 2 way Challenge/Response Hoyer, et al. Expires July 31, 2010 [Page 10] Internet-Draft VALID January 2010 The "In-band 2 way challenge/response" pattern is shown in Figure 2. This pattern is based on the In-band Challenge/Response pattern but authenticates both the server and the client. The application receives an in-band client challenge (1). The application invokes the validation server (2). The validation server returns the response to the client challenge and a server challenge (3). The application passes the server response and server challenge to the end-user (4). The end-user may or may not transform the server challenge and after verifying the server response sends the result to the validation server in-band (5). The application supplies the authentication data to the validation server and receives an assertion in return (6). 3.2. Out-of-band challenge __________ _____________ | | | | -->| End-user |--------------------->| Application | | |__________| 1. Access |_____________| | application | \ | | | | 4. In-band | | | Response | | | 2. Request | | | assertion | >VALID | 3. Out-of-band | | | challenge 5. Obtain | | | assertion | | | | | | _____\|/____/ | | | | | Validation | -------------------------------------| server | |____________| Out-of-band challenge The "out-of-band challenge" pattern is shown in Figure 2. The application invokes the validation server (2). The validation server then contacts the end-user out-of-band with a challenge (3). The end-user may or may not transform the challenge and then passes it back to the application (4), which then passes it to the validation server and obtains an assertion in response (5). Hoyer, et al. Expires July 31, 2010 [Page 11] Internet-Draft VALID January 2010 3.3. Out-of-band response __________ _____________ | | | | ---| End-user |<-------------------->| Application | | |__________| 1. Access |_____________| | application /|\ \ | | | | 4. In-band | | | challenge 2. Request | | | assertion | | | 5. Out-of-band | | | response 3. Return | >VALID | challenge | | | | | | 6. Send | | | assertion | | | | | | _____\|/____ / | | | | | Validation | ------------------------------------>| server | |____________| Out-of-band response The "out-of-band response" pattern is shown in Figure 3. The application invokes the validation server (2). The validation server returns a challenge (3). The application passes the challenge to the end-user (4). The end-user may or may not transform the challenge and sends the result to the validation server out-of-band (5). The validation server sends the assertion to the application (6). Hoyer, et al. Expires July 31, 2010 [Page 12] Internet-Draft VALID January 2010 3.4. Client supplies challenge __________ _____________ | | | | -->| End-user |-------------------->| Application | | |__________| 2. Supply |_____________| | challenge | \ | and response | | | | | | 3. Obtain | | | assertion | | | 1. Obtain | >VALID | challenge | | | | | | | | | | | | _____\|/____ / | | | | | Validation | ------------------------------------| server | |____________| Client supplies challenge The "client supplies challenge" pattern is shown in Figure 4. The end-user obtains a challenge out-of-band (1), calculates the response and send both challenge and response to the application (2). The application then uses the challenge and response to obtain an assertion from the validation server (3). 3.5. End-user obtains assertions Out-of-band from server __________ _____________ | | | | | End-user |------------------------->| Application | |__________| 2. Access application |_____________| / | (passing assertion) |V | |A | |L | |I | ____________ |D | 1. Obtain assertion | | | ---------------------------->| Validation | \ | server | |____________| Hoyer, et al. Expires July 31, 2010 [Page 13] Internet-Draft VALID January 2010 Out-of-band from server authentication The End-user obtains the assertion directly or though a proxy from the validation server (1) then passes the assertion to the Application for authentication (2). Hoyer, et al. Expires July 31, 2010 [Page 14] Internet-Draft VALID January 2010 4. Asynchronous communication The out-of-band communication patterns (Section 3.2 and Section 3.3) require asynchronous behavior, so that the application thread is not blocked while the challenge is being processed by the end-user. 4.1. Out-of-band challenge In the case of the "out-of-band challenge" pattern (Section 3.2), the validation server SHALL return an element with the value: valid:Pending The validation server, upon sending this value, and the application, upon receiving it, SHALL terminate the current session. Once the application receives the response from the end-user, it SHALL initiate a new session with the validation server. 4.2. Out-of-band response In the case of the "out-of-band response" pattern (Section 3.3), the validation server SHALL return an element with the value: valid:Pending The validation server, upon sending this value, and the application, upon receiving it, SHALL terminate the current session. Both parties MUST maintain the attribute as metadata associated with the initial session. In the subsequent session, they MUST use this attribute value to correlate the challenge and response. Hoyer, et al. Expires July 31, 2010 [Page 15] Internet-Draft VALID January 2010 5. User centric and device centric (pseudonymous) authentication models There are two authentication models supported by this specification: 5.1. User Centric authentication model In this model the mapping between a specific user and the devices that belong to the specific user is known and managed by the validation server. This means that the authentication request will contain explicit user information in form of a UserId 5.2. Device Centric authentication model In this model the validation server does not have any knowledge to whom a specific device belongs. The user-device mapping will be at the appllication or service provider. This means that the authentication request MUST NOT contain uer information and that it MUST contain information to uniquely identify the device by using the element as defined in [PSKC]. Hoyer, et al. Expires July 31, 2010 [Page 16] Internet-Draft VALID January 2010 6. Authentication moving factor resync Some authentication schemes gradually lose synchronization between client and server. In order to compensate for this, the server must accept authentication data values within a range, or window of the moving factor (e.g. the event counter used in event based one time password algorithms, see [HOTP]). When an authentication moving factor drifts to the edge of, or beyond, the server's window for a particular end-user, the server has to adjust its window. This process is known as resyncing. Resyncing erodes assurance in the authentication event. So, following a resync event, the validation server commonly requests a second authentication data value, which effectively restores the level of assurance provided by the authentication. The following two approaches to resyncing exist: 6.1. Automatic re-sync based on authentication data In this approach, the resynchronisation is based only on the authentication data. In this apporach the server searches through an extended window of the moving factor(s) to see if it can match the presented authentication data. In this apporach two OTPs MUST be transmitted so that the server MUST try to match the first OTP with the extended window and also MUST match the second OTP with a normal window. 6.2. Manual re-sync based on presenting moving factor values In this approach to resynchronisation, the server is given the exact value of the moving factor (e.g. the event counter value in [HOTP]) together with the OTP. The server MUST only set the moving factor(s) to the received value if the OTP matches successfully (given the new moving factor values). Hoyer, et al. Expires July 31, 2010 [Page 17] Internet-Draft VALID January 2010 7. Policy models Authentication policy defines the requirements for accessing a resource in terms of mechanisms and their strengths, expressible in disjunctive normal form (that is a disjunction ("OR") of conjunctions ("AND"s)). This approach supports risk-based multi-factor authentication. Two policy models are supported. In the first model (see figuer below), the application is responsible for invoking the right combination of validation servers in order to satisfy the authentication policy. _____________ | | | Application | |_____________| | \ _____________|______________ | | | | > VALID | | | | ______|_____ _____|______ _____|______ / | | | | | | | Validation | | Validation | | Validation | | server | | server | | server | |____________| |____________| |____________| Policy aware application In the second model (see figure below), the authentication policy is managed through a choreography component, which appears to the application as a validation server and to the validation server as an application. Hoyer, et al. Expires July 31, 2010 [Page 18] Internet-Draft VALID January 2010 _____________ | | | Application | |_____________| | \ | | | >VALID | | ______|_______ / | | | Choreography | |______________| | \ ______________|______________ | | | | >VALID | | | | _____|______ _____|______ _____|______/ | | | | | | | Validation | | Validation | | Validation | | server | | server | | server | |____________| |____________| |____________| Policy aware application In either model, the application MAY supply information about the resource to which access is requested in a element. The validation server MAY restrict the resources to which the application SHALL limit access by including a element in its response. This is not intended as an access-control solution; it is intended only to enforce an appropriate level of authentication assurance, based on the sensitivity of the resource, where the sensitivity is not uniform across all the resources accessible by the application. Hoyer, et al. Expires July 31, 2010 [Page 19] Internet-Draft VALID January 2010 8. Common message contents This section describes the mechanism-independent requirements for message contents. 8.1. Request Security Token The message-independent requirements for "request security token" messages are shown in this example: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? - MANDATORY The client SHALL set the value 'http:// docs.oasis-open.org/wss/ oasis-wss-saml-token-profile-1.1#SAMLV2.0'. If the server detects a different value it MAY return a fault. - MANDATORY The client SHALL set the value 'http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue' If the server detects a different value it SHALL return a fault. - OPTIONAL If present, the client MUST set the value to a URI identifying the resource, or class of resource, to which access is requested. If the validation server is policy-aware, it SHOULD use this value to select the applicable authentication policy. Otherwise, it MUST ignore it. - OPTIONAL If present, this element MUST identify a verified end-user attribute requested from the validation server. Even if the validation server cannot provide all the requested attributes, it SHOULD proceed with the validation process. Hoyer, et al. Expires July 31, 2010 [Page 20] Internet-Draft VALID January 2010 - OPTIONAL The client MAY specify the lifetime of the requested assertion using this element. The server MUST verify that the requested lifetime conforms with its own policy for assertion lifetimes. - MANDATORY This attribute MUST be set by the client. It is an opaque value to the server. The server MUST use the value as the value in the response. 8.2. Request Security Token Response The common requirements for the final "request security token response" message are shown in this example: ... + ? ... ? ? + If the authentication data failed to validate, then the server MUST include the element containing the value wst: FailedAuthentication. In this case, it SHALL NOT include any other elements. If the authentication data failed to validate due to missing authentication data, then the server MUST include the element containing the value valid: MissingAuthenticationData. The server can optionally include elements indicating which authentication data is missing. - OPTIONAL - Zero or more If validation is complete and successful, then the server SHALL include a SAML assertion containing verified end-user attributes. Otherwise this element SHALL be omitted. The server SHOULD set the assertion lifetime in accordance with the lifetime specified in the request, or its own policy, whichever is more restrictive. Hoyer, et al. Expires July 31, 2010 [Page 21] Internet-Draft VALID January 2010 - MANDATORY The client SHALL set the value 'http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue' If the server detects a different value it SHALL return a fault. - OPTIONAL If present, the server SHALL populate this element with verified end-user attributes. - OPTIONAL The server SHALL set the value "urn:oasis:names:tc:SAML:2.0". The client MAY reject responses containing a different value. - OPTIONAL If the authentication assurance level achieved is suitable only for a sub-set of resources, the validation server MUST set a value that identifies that sub- set.The client SHOULD restrict access to resources falling within the sub-set defined by this element. - MANDATORY The server MUST include the @Context value from the request. The client SHOULD load the context identified by the value. Hoyer, et al. Expires July 31, 2010 [Page 22] Internet-Draft VALID January 2010 9. Mechanism-specific message contents The mechanism-specific requirements for message contents are described in the appendices. These MAY be used in any combination. Hoyer, et al. Expires July 31, 2010 [Page 23] Internet-Draft VALID January 2010 10. Extensibility This section lists a few common extension points provided by VALID: New VALID Version: Whenever it is necessary to define a new version of this document then a new version number has to be allocated to refer to the new specification version. The rules for extensibililty are defined in Section 11. Hoyer, et al. Expires July 31, 2010 [Page 24] Internet-Draft VALID January 2010 11. IANA Considerations 11.1. XML namespace registration This section registers a new XML namespace, "urn:ietf:params:xml:ns:valid", per the guidelines in [RFC3688]. URI: urn:ietf:params:xml:ns:valid Registrant Contact: Philip Hoyer (phoyer@actividentity.com). XML: BEGIN VALID Namespace

Namespace for VALID

urn:ietf:params:xml:ns:valid

See RFCXXXX [NOTE TO IANA/RFC-EDITOR: Please replace XXXX with the RFC number of this specification.].

END 11.2. VALID Version Registry IANA is requested to create a registry for VALID version numbers. The registry has the following structure: VALID Version | Specification +---------------------------+---------------- | 1.0 | [This document] Standards action is required to define new versions of VALID. It is not envisioned to depreciate, delete, or modify existing VALID versions. Hoyer, et al. Expires July 31, 2010 [Page 25] Internet-Draft VALID January 2010 12. Security Considerations The validation server SHOULD authenticate the client and limit access to the validation service only to authorized clients. This MAY be achieved by object level security (e.g xml signatures as defined in [XMLDSIG] applied to the and elements), transport layer security (e.g. [TLS]) or network layer security (e.g. isolated network segment). The application MAY authenticate the validation server. This MAY be achieved by object level security (e.g. xml signatures as defined in [XMLDSIG] applied to the and elements or assertion), transport layer security (e.g. TLS) or network layer security (e.g. isolated network segment). The chosen authentication mechanism MUST ensure freshness of the exchanges in order to detect replay attacks. Privacy of the authentication data and end-user attributes MAY also require protection. Hoyer, et al. Expires July 31, 2010 [Page 26] Internet-Draft VALID January 2010 13. Acknowledgements The authors of this draft would like to thank the following people for their feedback: Siddharth Bajaj, David M'Raihi, Mike Davis and Peter Tapling. This work is based on earlier work by the members of OATH (Initiative for Open AuTHentication), see [OATH], to specify a format that can be freely distributed to the technical community. Hoyer, et al. Expires July 31, 2010 [Page 27] Internet-Draft VALID January 2010 14. References 14.1. Normative References [RFC2119] "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media Types", RFC 3023, January 2001. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and Registration Procedures", BCP 13, RFC 4288, December 2005. [SAML] Cantor, S., Kemp, J., Philpott, R., and E. Maler, "WS- Trust 1.4", URL: http://docs.oasis-open.org/security/saml/ v2.0/saml-core-2.0-os.pdf, OASIS Standard Specification, March 2005. [SOAP] Gudgin, M., "Simple Object Access Protocol 1.2", URL: http://www.w3.org/TR/soap12-part1/, W3C Recommendation, April 2007. [WS-Security] Nadalin, A., Kaler, C., Monzillo, R., and P. Hallam-Baker, "Web Services Security: SOAP Message Security 1.1", URL: http://www.oasis-open.org/committees/download.php/16790/ wss-v1.1-spec-os-SOAPMessageSecurity.pdf, OASIS Standard Specification, Feb 2006. [WS-Trust] Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., and H. Granqvist, "WS-Trust 1.4", URL: http:// docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html, OASIS Standard Specification, Feb 2009. [WSS_UsernameTokenProfile] Nadalin, A., Kaler, C., Monzillo, R., and P. Hallam-Baker, "Web Services Security UsernameToken Profile 1.1", URL: http://docs.oasis-open.org/wss/v1.1/ wss-v1.1-spec-os-UsernameTokenProfile.pdf, OASIS Standard Specification, Feb 2006. [XMLDSIG] Eastlake, D., "XML-Signature Syntax and Processing", URL: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/, W3C Recommendation, February 2002. Hoyer, et al. Expires July 31, 2010 [Page 28] Internet-Draft VALID January 2010 [XMLENC] Eastlake, D., "XML Encryption Syntax and Processing.", URL: http://www.w3.org/TR/xmlenc-core/, W3C Recommendation, December 2002. 14.2. Informative References [HOTP] MRaihi, D., Bellare, M., Hoornaert, F., Naccache, D., and O. Ranen, "HOTP: An HMAC-Based One Time Password Algorithm", RFC 4226, December 2005. [OATH] "Initiative for Open AuTHentication", URL: http://www.openauthentication.org. [OCRA] MRaihi, D., Rydell, J., Naccache, D., Machani, S., and S. Bhajaj, "OCRA: OATH Challenge-Response Algorithms", URL: http://docs.oasis-open.org/security/saml/v2.0/ saml-core-2.0-os.pdf, IETF Standard draft, January 2008. [PSKC] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric Key Container (PSKC)", URL: http://tools.ietf.org/html/ draft-ietf-keyprov-pskc-05, IETF Standard draft, January 2010. [RFC2396] Berners-Lee, T., Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", BCP 26, RFC 2396, August 1998. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [XMLNS] "Namespaces in XML", W3C Recommendation , URL: http://www.w3.org/TR/1999/REC-xml-names-19990114, January 1999. Hoyer, et al. Expires July 31, 2010 [Page 29] Internet-Draft VALID January 2010 Appendix A. WSDL The validation server WSDL is shown here. Hoyer, et al. Expires July 31, 2010 [Page 30] Internet-Draft VALID January 2010 Hoyer, et al. Expires July 31, 2010 [Page 31] Internet-Draft VALID January 2010 Appendix B. Mechanism specific message contents The follwing subsections describe the mechanism specific message contents for each considered mechanism: B.1. Username/password This section describes the mechanism-specific message contents username/password transferred in-band. There are no semantics implied by the order of the elements. The username and password transmission uses the web services security Username Token Profile [WSS_UsernameTokenProfile]. There are two steps to the protocol. Step 1 - Client sends "request security token" message containing authentication data to the validation server. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? ... ? Password If present, the client MUST set the value to the claimed username. The server MUST load the corresponding end-user record. Either the element or the element or both MUST be present. The client MUST set the value to password entered by the end user. The server MUST validate the password. The server MUST confirm that all the supplied authentication data are valid for a single end-user. Hoyer, et al. Expires July 31, 2010 [Page 32] Internet-Draft VALID January 2010 Step 2 - Validation server sends "request security token response" message containing the authentication result to the client. ... ... B.2. In band one-time-password (OTP) This section describes the mechanism-specific message contents for both time-based and event-based OTP protocols in which the OTP is transferred in-band. There are no semantics implied by the order of the elements. There are two steps to the protocol. Step 1 - Client sends "request security token" message containing authentication data to the validation server. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? ... ? ... ? ... ? ... If present, the client MUST set the value to the claimed username. The server MUST load the corresponding end-user record. Either the element or the element or both MUST be present. Hoyer, et al. Expires July 31, 2010 [Page 33] Internet-Draft VALID January 2010 If present, the client MUST set the value to the KeyId of the key used for OTP computations. The server MUST load the corresponding key record.. If present, the client MUST set the subelement values of pskc: DeviceInfo as defined in [PSKC] to value that uniuquely identify the device used for OTP computations. The server MUST load the corresponding device record.. The client MUST set the value to the OTP value. The server MUST validate the OTP. The server MUST confirm that all the supplied authentication data are valid for a single end-user. Step 2 - Validation server sends "request security token response" message containing the authentication result to the client. ... ... The following authentication data are defined by this specification. Name: valid:OTP Type: xsd:string Description: The output value of an end-user OTP token Name: valid:KeyId Type: xsd:string Description: The globally-unique identifier for key used in the OTP computation Name: pskc:DeviceInfo Type: pskc:DeviceInfo Description: A extensible element to uniquely identify devices used in OTP computations as defined in [PSKC]. Hoyer, et al. Expires July 31, 2010 [Page 34] Internet-Draft VALID January 2010 B.3. In band one-time-password (OTP) token synchronization This section describes the mechanism-specific message contents for both time-based, event-based and time-event based OTP algorithms in which resynchronization data is sent in-band. Synchronization can happen either by sending two subsequqnt OTPs from the device or by sending only one OTP and the exact values of one or multiple moving factors (e.g.Counter, TIme, etc) used in the OTP algorithm. There are two steps to the protocol. Step 1 - Client sends "request security token" message containing synchronization data to the validation server. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 urn:ietf:params:xml:ns:valid#synchronization ... ? ? + ... ? ... ? ... ? ... ? ... ... ? ... ? ... ? If present, the client MUST set the value to the claimed username. The server MUST load the corresponding end-user record. Either the element or the element or both MUST be present. Hoyer, et al. Expires July 31, 2010 [Page 35] Internet-Draft VALID January 2010 If present, the client MUST set the value to the KeyId of the key used for OTP computations. The server MUST load the corresponding key record.. If present, the client MUST set the subelement values of pskc: DeviceInfo as defined in [PSKC] to value that uniuquely identify the device used for OTP computations. The server MUST load the corresponding device record.. The client MUST set the value to the OTP value. The server MUST validate the OTP within an extended synchronization window. If present, the client MUST set this value to the next OTP value obtained from the OTP device. The server MUST validate this OTP within a normal validation window upon successful validation of the first OTP. If present, the client MUST set the value to the current OTP Counter moving factor from the claimed device. The server MUST validate that the given OTP corresponds to the given value in and then set the Counter moving factor value to its own record for the claimed token. If present, the client MUST set the value to the current OTP Time moving factor from the claimed device. The server MUST validate that the given OTP corresponds to the given value in and then set the Time moving factor value to its own record for the claimed token. The server MUST confirm that all the supplied synchronization data are valid and adjust its token record with the validated client data. Step 2 - Validation server sends "request security token response" message containing the synchronization result to the client. ... ... The following synchronization data are defined by this specification. Hoyer, et al. Expires July 31, 2010 [Page 36] Internet-Draft VALID January 2010 Name: valid:OTP Type: xsd:string Description: The output value of an end-user OTP token Name: valid:NextOTP Type: xsd:string Description: The output value of an end-user OTP token for the next consecutive OTP Name: valid:MovingFactor Type: xsd:integer Description: The current OTP moving factor in a client token. It is the event counter for an event based token, for example, HOTP. Name: valid:KeyId Type: xsd:string Description: The globally-unique identifier for the OTP token B.4. In band challenge/response This appendix describes the mechanism-specific message contents for challenge/response authentication mechanisms in which both the challenge and response are transferred in-band. Mechanisms of this type include: knowledge-based schemes, matrix card schemes and cryptographic token schemes. There are no semantics implied by the order of the elements. There are four steps to the protocol. Step 1 - Client sends "request security token" message containingthe claimed identity to the validation server. Hoyer, et al. Expires July 31, 2010 [Page 37] Internet-Draft VALID January 2010 http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? ... ? ... ? ... ? Step 2 - Validation server sends "request security token response" message containing the challenge to the client. ... The server MUST set the contents to the value of the challenge. Step 3 - Client sends "request security token response" message containing the response to the server. ... The client MUST set the value to the transformed challenge. The server MUST validate the transformed challenge. Step 4 - Server sends "request security token response" message containing the authentication result to the client. Hoyer, et al. Expires July 31, 2010 [Page 38] Internet-Draft VALID January 2010 ... ... B.5. Out-of-band challenge This appendix describes the mechanism-specific message contents for challenge/response mechanisms in which the challenge is passed to the end-user out-of-band. Such mechanisms involve a separate communication channel, such as voice telephone, email or SMS. There are no semantics implied by the order of the elements. There are four steps to the protocol. Step 1 - Client sends "request security token" message containing claimed identity to the server. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? ... ... ? Step 2 - (Optional, in the asynchronous case) Server sends "pending" to the client. valid:Pending Both the client and server close the session. Step 3 - Once the client receives the response, it sends the "request Hoyer, et al. Expires July 31, 2010 [Page 39] Internet-Draft VALID January 2010 security token response" message to the server.. ... Step 4 - Server sends "request security token response" message containing the authentication result to the client. ... ... The attribute value MUST be the same as that used in steps 1, 2 and 3. B.6. Out-of-band response This appendix describes the mechanism-specific message contents for challenge/response mechanisms in which the response is returned to the validation server out-of-band. Such mechanisms involve a separate communication channel, such as voice telephone, email or SMS. There are no semantics implied by the order of the elements. There are four steps to the protocol. Step 1 - Client sends "request security token" message containing the claimed identity to the server. Hoyer, et al. Expires July 31, 2010 [Page 40] Internet-Draft VALID January 2010 http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? ... ... ? ... ? Step 2 - Server sends "request security token response" message containing the challenge to the client. ... Step 3 - (Optional - in the asynchronous case) Client sends "pending" to the server. valid:Pending Both the client and server close the session. Step 4 - Server sends "request security token response" message containing the authentication result to the client at the registered call-back interface. ... ... Hoyer, et al. Expires July 31, 2010 [Page 41] Internet-Draft VALID January 2010 The attribute value MUST be the same as that used in steps 1, 2 and 3. B.7. Client supplies challenge This appendix describes the mechanism-specific message contents for challenge/response mechanisms in which the client supplies the challenge. There are no semantics implied by the order of the elements. There are two steps to the protocol. Step 1 - Client sends "request security token" message to the validation server, passing both the challenge and the response. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? ... ... The challenge. This may have been obtained from the validation server by means of another interface; one not specified here. The client MUST set the value to the transformed challenge. The server MUST validate the transformed challenge. Step 2 - Validation server returns "request security token response" message containing the assertion and claims to the client. Hoyer, et al. Expires July 31, 2010 [Page 42] Internet-Draft VALID January 2010 ... ... B.8. Challenge/response with signature This appendix describes the mechanism-specific message contents for challenge/response authentication mechanisms in which both the challenge and response are transferred in-band additionally to other parameters that are used in a signature (such as the simmetric signature in [OCRA]. There are no semantics implied by the order of the elements. There are four steps to the protocol. Step 1 - Client sends "request security token" message containingthe claimed identity to the validation server. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://www.docs.oasis-open.org/ws-sx/ws-trust/200512/Issue ... ? ? + ... ? ... ? ... ? ... ? Step 2 - Validation server sends "request security token response" message containing the set of challenges to the client. + ... Hoyer, et al. Expires July 31, 2010 [Page 43] Internet-Draft VALID January 2010 The server MUST set the contents to the value of the challenge(s). Step 3 - Client sends "request security token response" message containing the response(s) to the server. + ... The client MUST set the value to the parameters of the signature (e.g. amount is set to '10000'). The server MUST validate the transformed challenge. Step 4 - Server sends "request security token response" message containing the authentication result to the client. ... ... Hoyer, et al. Expires July 31, 2010 [Page 44] Internet-Draft VALID January 2010 Appendix C. Use Cases This section describes a comprehensive list of use cases that inspired the development of this specification. These requirements were used to derive the primary requirement that drove the design. These requirements are covered in the next section. These use cases also help in understanding the applicability of this specification to real world situations. C.1. Validation C.1.1. OTP Validation An application needs to validate an OTP obtained from an end-user, before providing the end-user with access to the requested resource(s). The validation request may pass through several SOAP intermediaries. If this is the case, the application message needs to specify the ultimate validation server endpoint via SOAP addressing means, e.g., by using SOAP actors, to avoid the OTP being evaluated several times. The response may include additional instructions to the token, for example that it needs to be resynchronized. This information must be defined inside a SOAP message. Valid credentials that can be passed in the valildation request: o Username, PIN + OTP o Username, OTP o TokenId + OTP o Array of TokenId + OTP C.1.2. Challenge/Response Validation - Server generated challenge An application needs to be able to use a token implementing the OCRA challenge/response algorithm for identifying the end user. The application requests from the validation server the challenge to be presented to the token (with the end-user keying the challenge into the token by means of a PINPad) or the challenge presented to the API of the connected token The application then uses the protocol to verify the response from the token Hoyer, et al. Expires July 31, 2010 [Page 45] Internet-Draft VALID January 2010 C.1.3. Challenge/Response Validation - User generated challenge An application needs to be able to use a token implementing the OCRA challenge/response algorithm for identifying the end user. The application generates the challenge to be presented to the token (with the end-user keying the challenge into the token by means of a PINPad) or the challenge presented to the API of the connected token The application then uses the protocol to verify the challenge and the response from the token. C.1.4. 2-way mutual Challenge/Response Validation An application needs to be able to use a token implementing the OCRA 2 way challenge/response algorithm for identifying the end user and the user will identify the validation server. A connected token generates a client challenge and trasnmits it to the appllication, the application will accept the challenge and send it to the validation server, which will then return a server-response to the client challenge and a server challenge. The connected token will verify the server response and after successfully validating the server response sends uses the server-challenge to generate a client- response which is sent to the appliaction. The application then uses the protocol to verify the the response from the connected client. C.1.5. OTP Validation + Server managed PIN An application needs to be able to use a token implementing the TOTP algorithm as one factor and a server managed PIN as a second factor, for indetifying the end user. The verification of both factors should occur within one message request/response pair of the protocol. C.1.6. MatrixCardValidation - Server generated challenge An application needs to be able to use MatrixCard challenge/response algorithm for identifying the end user. The application will request from the validation server the challenge to be presented to the user via the user interface and the user response entered into a webform The application will then use the protocol to verify the response from the token C.2. Synchronisation Use Cases This section describes the use cases relating to synchronisation of the token and the server. Hoyer, et al. Expires July 31, 2010 [Page 46] Internet-Draft VALID January 2010 C.2.1. OTP Token Resync with the Next OTPs An application needs to validate an OTP but the OTP could not be validated because the OTP moving factor is out-of-sync between the token and the server. The validation server detects that the given OTP corresponds to a future moving factor that falls in an acceptable re-sync window. The application decides that a re-sync is necessary. It asks the next generated OTP from the token to re-sync the token. The validation server adjusts its record of the token's moving factor to the one that corresponds to the given OTP upon successful validation. Two consecutive OTPs could also be directly used for a validation server to re-sync a token, where the server tries to match the first OTP with an extended synchronization window and then match the second OTP with a normal authentication window. C.2.2. OTP Token Resync with Moving Factor An application needs to validate an OTP but the OTP could not be validated because the OTP moving factor is out-of-sync between the token and the server. The validation server detects that the given OTP corresponds to a future moving factor that falls in an acceptable re-sync window. The application decides that a re-sync is necessary. It uses values that can be read by the user of the token (e.g. event counter value, time interval counter value) to re-sync the token together with the next generated OTP of the token. Hoyer, et al. Expires July 31, 2010 [Page 47] Internet-Draft VALID January 2010 Appendix D. Requirements This section outlines the most relevant requirements that are the basis of this work. Several of the requirements were derived from use cases described above. R1: The protocol must support authentication of request originator. R2: The protocol must support management data flows (e.g., related to token synchronization) R3: The protocol needs to support the following algorithms * HOTP * OCRA * TOTP * Proprietary OTP * Proprietary Challenge/Response * Matrix cards * SMS OTP * PKI based challenge/response R4: The protocol must be XML/Web Services based. R5: The protocol must support SOAP intermediaries. Hoyer, et al. Expires July 31, 2010 [Page 48] Internet-Draft VALID January 2010 Authors' Addresses Philip Hoyer ActivIdentity, Inc. 117 Waterloo Road London, SE1 8UL UK Phone: +44 (0) 20 7744 6455 Email: phoyer@actividentity.com Tim Moses Entrust, Inc. 1000 Innovation Drive Ottawa, Ontario K2K 3E7 Canada Phone: +1 (613) 270-3400 Email: tim.mosesi@entrust.com Mingliang Pei VeriSign, Inc. 487 E. Middlefield Road Mountain View, CA 94043 USA Phone: +1 650 426 5173 Email: mpei@verisign.com Salah Machani Diversinet, Inc. 2225 Sheppard Avenue East Suite 1801 Toronto, Ontario M2J 5C2 Canada Phone: +1 416 756 2324 Ext. 321 Email: smachani@diversinet.com Hoyer, et al. Expires July 31, 2010 [Page 49]