Last Call: 'TLS User Mapping Extension' to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The IESG has received a request from an individual submitter to consider the 
following document:

- 'TLS User Mapping Extension'
   <draft-santesson-tls-ume-02.txt> as a Proposed Standard

The TLS User Mapping extension enables a client to send a name hint to
a server during a TLS handshake, enabling the server to locate
necessary authentication credentials, such as X.509 certificates, for
the claimed user.

This aims to solve two issues:

     1) To enable use of legacy PKI implementations where existing
        certificates lack a name that unambiguously maps to the user
        account at the server.

     2) Allow a user to use the same certificate to authenticate to
        multiple accounts, while still being able to specify which
        account the user intends to employ for a particular TLS session.

In the case of allowing legacy PKI, the user mapping hint provide
information that can be used by the server to retrieve any necessary
data, including certificates, to authenticate the user.

The proposed TLS protocol extensions allow additional user mapping
hint types to be defined in the future.  The basic hint type allows
either a UPN (Universal Principal Name) or a DNS hint to be sent to
the server.

The UPN hint enables authentication to a Microsoft domain account
using existing PKI deployments.  Without this TLS protocol extension,
the client certificate must contain a UPN name in the form of the
Microsoft UPN otherName in the Subject Alternative Name extension.

This TLS protocol extension is being implemented by Microsoft in
Windows Vista.  It is expected to be used by enterprise customers with
PKI deployments.  In fact, the development of this TLS protocol
extension is a direct result of requirements raised from the user
community.

This document is an individual submission.  However, the draft was
announced to the TLS WG, and it was presented at the TLS WG session
during IETF 64 in Vancouver.  Comments received from WG participants
were addressed.  After resolving these comments, no further objections
were raised.

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send any comments to the
iesg@ietf.org or ietf@ietf.org mailing lists by 2006-03-10.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-santesson-tls-ume-02.txt


_______________________________________________

IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux