summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2704.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc2704.txt')
-rw-r--r--doc/rfc/rfc2704.txt2075
1 files changed, 2075 insertions, 0 deletions
diff --git a/doc/rfc/rfc2704.txt b/doc/rfc/rfc2704.txt
new file mode 100644
index 0000000..d41cd3a
--- /dev/null
+++ b/doc/rfc/rfc2704.txt
@@ -0,0 +1,2075 @@
+
+
+
+
+
+
+Network Working Group M. Blaze
+Request for Comments: 2704 J. Feigenbaum
+Category: Informational J. Ioannidis
+ AT&T Labs - Research
+ A. Keromytis
+ U. of Pennsylvania
+ September 1999
+
+
+ The KeyNote Trust-Management System Version 2
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (1999). All Rights Reserved.
+
+Abstract
+
+ This memo describes version 2 of the KeyNote trust-management system.
+ It specifies the syntax and semantics of KeyNote `assertions',
+ describes `action attribute' processing, and outlines the application
+ architecture into which a KeyNote implementation can be fit. The
+ KeyNote architecture and language are useful as building blocks for
+ the trust management aspects of a variety of Internet protocols and
+ services.
+
+1. Introduction
+
+ Trust management, introduced in the PolicyMaker system [BFL96], is a
+ unified approach to specifying and interpreting security policies,
+ credentials, and relationships; it allows direct authorization of
+ security-critical actions. A trust-management system provides
+ standard, general-purpose mechanisms for specifying application
+ security policies and credentials. Trust-management credentials
+ describe a specific delegation of trust and subsume the role of
+ public key certificates; unlike traditional certificates, which bind
+ keys to names, credentials can bind keys directly to the
+ authorization to perform specific tasks.
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 1]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ A trust-management system has five basic components:
+
+ * A language for describing `actions', which are operations with
+ security consequences that are to be controlled by the system.
+
+ * A mechanism for identifying `principals', which are entities that
+ can be authorized to perform actions.
+
+ * A language for specifying application `policies', which govern the
+ actions that principals are authorized to perform.
+
+ * A language for specifying `credentials', which allow principals to
+ delegate authorization to other principals.
+
+ * A `compliance checker', which provides a service to applications
+ for determining how an action requested by principals should be
+ handled, given a policy and a set of credentials.
+
+ The trust-management approach has a number of advantages over other
+ mechanisms for specifying and controlling authorization, especially
+ when security policy is distributed over a network or is otherwise
+ decentralized.
+
+ Trust management unifies the notions of security policy, credentials,
+ access control, and authorization. An application that uses a
+ trust-management system can simply ask the compliance checker whether
+ a requested action should be allowed. Furthermore, policies and
+ credentials are written in standard languages that are shared by all
+ trust-managed applications; the security configuration mechanism for
+ one application carries exactly the same syntactic and semantic
+ structure as that of another, even when the semantics of the
+ applications themselves are quite different.
+
+ Trust-management policies are easy to distribute across networks,
+ helping to avoid the need for application-specific distributed policy
+ configuration mechanisms, access control lists, and certificate
+ parsers and interpreters.
+
+ For a general discussion of the use of trust management in
+ distributed system security, see [Bla99].
+
+ KeyNote is a simple and flexible trust-management system designed to
+ work well for a variety of large- and small-scale Internet-based
+ applications. It provides a single, unified language for both local
+ policies and credentials. KeyNote policies and credentials, called
+ `assertions', contain predicates that describe the trusted actions
+ permitted by the holders of specific public keys. KeyNote assertions
+ are essentially small, highly-structured programs. A signed
+
+
+
+Blaze, et al. Informational [Page 2]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ assertion, which can be sent over an untrusted network, is also
+ called a `credential assertion'. Credential assertions, which also
+ serve the role of certificates, have the same syntax as policy
+ assertions but are also signed by the principal delegating the trust.
+
+ In KeyNote:
+
+ * Actions are specified as a collection of name-value pairs.
+
+ * Principal names can be any convenient string and can directly
+ represent cryptographic public keys.
+
+ * The same language is used for both policies and credentials.
+
+ * The policy and credential language is concise, highly expressive,
+ human readable and writable, and compatible with a variety of
+ storage and transmission media, including electronic mail.
+
+ * The compliance checker returns an application-configured `policy
+ compliance value' that describes how a request should be handled
+ by the application. Policy compliance values are always
+ positively derived from policy and credentials, facilitating
+ analysis of KeyNote-based systems.
+
+ * Compliance checking is efficient enough for high-performance and
+ real-time applications.
+
+ This document describes the KeyNote policy and credential assertion
+ language, the structure of KeyNote action descriptions, and the
+ KeyNote model of computation.
+
+ We assume that applications communicate with a locally trusted
+ KeyNote compliance checker via a `function call' style interface,
+ sending a collection of KeyNote policy and credential assertions plus
+ an action description as input and accepting the resulting policy
+ compliance value as output. However, the requirements of different
+ applications, hosts, and environments may give rise to a variety of
+ different interfaces to KeyNote compliance checkers; this document
+ does not aim to specify a complete compliance checker API.
+
+2. KeyNote Concepts
+
+ In KeyNote, the authority to perform trusted actions is associated
+ with one or more `principals'. A principal may be a physical entity,
+ a process in an operating system, a public key, or any other
+ convenient abstraction. KeyNote principals are identified by a
+ string called a `Principal Identifier'. In some cases, a Principal
+ Identifier will contain a cryptographic key interpreted by the
+
+
+
+Blaze, et al. Informational [Page 3]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ KeyNote system (e.g., for credential signature verification). In
+ other cases, Principal Identifiers may have a structure that is
+ opaque to KeyNote.
+
+ Principals perform two functions of concern to KeyNote: They request
+ `actions' and they issue `assertions'. Actions are any trusted
+ operations that an application places under KeyNote control.
+ Assertions delegate the authorization to perform actions to other
+ principals.
+
+ Actions are described to the KeyNote compliance checker in terms of a
+ collection of name-value pairs called an `action attribute set'. The
+ action attribute set is created by the invoking application. Its
+ structure and format are described in detail in Section 3 of this
+ document.
+
+ KeyNote provides advice to applications about the interpretation of
+ policy with regard to specific requested actions. Applications
+ invoke the KeyNote compliance checker by issuing a `query' containing
+ a proposed action attribute set and identifying the principal(s)
+ requesting it. The KeyNote system determines and returns an
+ appropriate `policy compliance value' from an ordered set of possible
+ responses.
+
+ The policy compliance value returned from a KeyNote query advises the
+ application how to process the requested action. In the simplest
+ case, the compliance value is Boolean (e.g., "reject" or "approve").
+ Assertions can also be written to select from a range of possible
+ compliance values, when appropriate for the application (e.g., "no
+ access", "restricted access", "full access"). Applications can
+ configure the relative ordering (from `weakest' to `strongest') of
+ compliance values at query time.
+
+ Assertions are the basic programming unit for specifying policy and
+ delegating authority. Assertions describe the conditions under which
+ a principal authorizes actions requested by other principals. An
+ assertion identifies the principal that made it, which other
+ principals are being authorized, and the conditions under which the
+ authorization applies. The syntax of assertions is given in Section
+ 4.
+
+ A special principal, whose identifier is "POLICY", provides the root
+ of trust in KeyNote. "POLICY" is therefore considered to be
+ authorized to perform any action.
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 4]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ Assertions issued by the "POLICY" principal are called `policy
+ assertions' and are used to delegate authority to otherwise untrusted
+ principals. The KeyNote security policy of an application consists
+ of a collection of policy assertions.
+
+ When a principal is identified by a public key, it can digitally sign
+ assertions and distribute them over untrusted networks for use by
+ other KeyNote compliance checkers. These signed assertions are also
+ called `credentials', and serve a role similar to that of traditional
+ public key certificates. Policies and credentials share the same
+ syntax and are evaluated according to the same semantics. A
+ principal can therefore convert its policy assertions into
+ credentials simply by digitally signing them.
+
+ KeyNote is designed to encourage the creation of human-readable
+ policies and credentials that are amenable to transmission and
+ storage over a variety of media. Its assertion syntax is inspired by
+ the format of RFC822-style message headers [Cro82]. A KeyNote
+ assertion contains a sequence of sections, called `fields', each of
+ which specifies one aspect of the assertion's semantics. Fields
+ start with an identifier at the beginning of a line and continue
+ until the next field is encountered. For example:
+
+ KeyNote-Version: 2
+ Comment: A simple, if contrived, email certificate for user mab
+ Local-Constants: ATT_CA_key = "RSA:acdfa1df1011bbac"
+ mab_key = "DSA:deadbeefcafe001a"
+ Authorizer: ATT_CA_key
+ Licensees: mab_key
+ Conditions: ((app_domain == "email") # valid for email only
+ && (address == "mab@research.att.com"));
+ Signature: "RSA-SHA1:f00f2244"
+
+ The meanings of the various sections are described in Sections 4 and
+ 5 of this document.
+
+ KeyNote semantics resolve the relationship between an application's
+ policy and actions requested by other principals, as supported by
+ credentials. The KeyNote compliance checker processes the assertions
+ against the action attribute set to determine the policy compliance
+ value of a requested action. These semantics are defined in Section
+ 5.
+
+ An important principle in KeyNote's design is `assertion
+ monotonicity'; the policy compliance value of an action is always
+ positively derived from assertions made by trusted principals.
+ Removing an assertion never results in increasing the compliance
+ value returned by KeyNote for a given query. The monotonicity
+
+
+
+Blaze, et al. Informational [Page 5]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ property can simplify the design and analysis of complex network-
+ based security protocols; network failures that prevent the
+ transmission of credentials can never result in spurious
+ authorization of dangerous actions. A detailed discussion of
+ monotonicity and safety in trust management can be found in [BFL96]
+ and [BFS98].
+
+3. Action Attributes
+
+ Trusted actions to be evaluated by KeyNote are described by a
+ collection of name-value pairs called the `action attribute set'.
+ Action attributes are the mechanism by which applications communicate
+ requests to KeyNote and are the primary objects on which KeyNote
+ assertions operate. An action attribute set is passed to the KeyNote
+ compliance checker with each query.
+
+ Each action attribute consists of a name and a value. The semantics
+ of the names and values are not interpreted by KeyNote itself; they
+ vary from application to application and must be agreed upon by the
+ writers of applications and the writers of the policies and
+ credentials that will be used by them.
+
+ Action attribute names and values are represented by arbitrary-length
+ strings. KeyNote guarantees support of attribute names and values up
+ to 2048 characters long. The handling of longer attribute names or
+ values is not specified and is KeyNote-implementation-dependent.
+ Applications and assertions should therefore avoid depending on the
+ the use of attributes with names or values longer than 2048
+ characters. The length of an attribute value is represented by an
+ implementation-specific mechanism (e.g., NUL-terminated strings, an
+ explicit length field, etc.).
+
+ Attribute values are inherently untyped and are represented as
+ character strings by default. Attribute values may contain any non-
+ NUL ASCII character. Numeric attribute values should first be
+ converted to an ASCII text representation by the invoking
+ application, e.g., the value 1234.5 would be represented by the
+ string "1234.5".
+
+ Attribute names are of the form:
+
+ <AttributeID>:: {Any string starting with a-z, A-Z, or the
+ underscore character, followed by any number of
+ a-z, A-Z, 0-9, or underscore characters} ;
+
+ That is, an <AttributeID> begins with an alphabetic or underscore
+ character and can be followed by any number of alphanumerics and
+ underscores. Attribute names are case-sensitive.
+
+
+
+Blaze, et al. Informational [Page 6]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ The exact mechanism for passing the action attribute set to the
+ compliance checker is determined by the KeyNote implementation.
+ Depending on specific requirements, an implementation may provide a
+ mechanism for including the entire attribute set as an explicit
+ parameter of the query, or it may provide some form of callback
+ mechanism invoked as each attribute is dereferenced, e.g., for access
+ to kernel variables.
+
+ If an action attribute is not defined its value is considered to be
+ the empty string.
+
+ Attribute names beginning with the "_" character are reserved for use
+ by the KeyNote runtime environment and cannot be passed from
+ applications as part of queries. The following special attribute
+ names are used:
+
+ Name Purpose
+ ------------------------ ------------------------------------
+ _MIN_TRUST Lowest-order (minimum) compliance
+ value in query; see Section 5.1.
+
+ _MAX_TRUST Highest-order (maximum) compliance
+ value in query; see Section 5.1.
+
+ _VALUES Linearly ordered set of compliance
+ values in query; see Section 5.1.
+ Comma separated.
+
+ _ACTION_AUTHORIZERS Names of principals directly
+ authorizing action in query.
+ Comma separated.
+
+ In addition, attributes with names of the form "_<N>", where <N> is
+ an ASCII-encoded integer, are used by the regular expression matching
+ mechanism described in Section 5.
+
+ The assignment and semantics of any other attribute names beginning
+ with "_" is unspecified and implementation-dependent.
+
+ The names of other attributes in the action attribute set are not
+ specified by KeyNote but must be agreed upon by the writers of any
+ policies and credentials that are to inter-operate in a specific
+ KeyNote query evaluation.
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 7]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ By convention, the name of the application domain over which action
+ attributes should be interpreted is given in the attribute named
+ "app_domain". The IANA (or some other suitable authority) will
+ provide a registry of reserved app_domain names. The registry will
+ list the names and meanings of each application's attributes.
+
+ The app_domain convention helps to ensure that credentials are
+ interpreted as they were intended. An attribute with any given name
+ may be used in many different application domains but might have
+ different meanings in each of them. However, the use of a global
+ registry is not always required for small-scale, closed applications;
+ the only requirement is that the policies and credentials made
+ available to the KeyNote compliance checker interpret attributes
+ according to the same semantics assumed by the application that
+ created them.
+
+ For example, an email application might reserve the app_domain
+ "RFC822-EMAIL" and might use the attributes named "address" (the
+ email address of a message's sender), "name" (the human name of the
+ message sender), and any "organization" headers present (the
+ organization name). The values of these attributes would be derived
+ in the obvious way from the email message headers. The public key of
+ the message's signer would be given in the "_ACTION_AUTHORIZERS"
+ attribute.
+
+ Note that "RFC822-EMAIL" is a hypothetical example; such a name may
+ or may not appear in the actual registry with these or different
+ attributes. (Indeed, we recognize that the reality of email security
+ is considerably more complex than this example might suggest.)
+
+4. KeyNote Assertion Syntax
+
+ In the following sections, the notation [X]* means zero or more
+ repetitions of character string X. The notation [X]+ means one or
+ more repetitions of X. The notation <X>* means zero or more
+ repetitions of non-terminal <X>. The notation <X>+ means one or more
+ repetitions of X, whereas <X>? means zero or one repetitions of X.
+ Nonterminal grammar symbols are enclosed in angle brackets. Quoted
+ strings in grammar productions represent terminals.
+
+4.1 Basic Structure
+
+ <Assertion>:: <VersionField>? <AuthField> <LicenseesField>?
+ <LocalConstantsField>? <ConditionsField>?
+ <CommentField>? <SignatureField>? ;
+
+ All KeyNote assertions are encoded in ASCII.
+
+
+
+
+Blaze, et al. Informational [Page 8]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ KeyNote assertions are divided into sections, called `fields', that
+ serve various semantic functions. Each field starts with an
+ identifying label at the beginning of a line, followed by the ":"
+ character and the field's contents. There can be at most one field
+ per line.
+
+ A field may be continued over more than one line by indenting
+ subsequent lines with at least one ASCII SPACE or TAB character.
+ Whitespace (a SPACE, TAB, or NEWLINE character) separates tokens but
+ is otherwise ignored outside of quoted strings. Comments with a
+ leading octothorp character (see Section 4.2) may begin in any
+ column.
+
+ One mandatory field is required in all assertions:
+
+ Authorizer
+
+ Six optional fields may also appear:
+
+ Comment
+ Conditions
+ KeyNote-Version
+ Licensees
+ Local-Constants
+ Signature
+
+ All field names are case-insensitive. The "KeyNote-Version" field,
+ if present, appears first. The "Signature" field, if present,
+ appears last. Otherwise, fields may appear in any order. Each field
+ may appear at most once in any assertion.
+
+ Blank lines are not permitted in assertions. Multiple assertions
+ stored in a file (e.g., in application policy configurations),
+ therefore, can be separated from one another unambiguously by the use
+ of blank lines between them.
+
+4.2 Comments
+
+ <Comment>:: "#" {ASCII characters} ;
+
+ The octothorp character ("#", ASCII 35 decimal) can be used to
+ introduce comments. Outside of quoted strings (see Section 4.3), all
+ characters from the "#" character through the end of the current line
+ are ignored. However, commented text is included in the computation
+ of assertion signatures (see Section 4.6.7).
+
+
+
+
+
+
+Blaze, et al. Informational [Page 9]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+4.3 Strings
+
+ A `string' is a lexical object containing a sequence of characters.
+ Strings may contain any non-NUL characters, including newlines and
+ nonprintable characters. Strings may be given as literals, computed
+ from complex expressions, or dereferenced from attribute names.
+
+4.3.1 String Literals
+
+ <StringLiteral>:: "\"" {see description below} "\"" ;
+
+ A string literal directly represents the value of a string. String
+ literals must be quoted by preceding and following them with the
+ double-quote character (ASCII 34 decimal).
+
+ A printable character may be `escaped' inside a quoted string literal
+ by preceding it with the backslash character (ASCII 92 decimal)
+ (e.g., "like \"this\"."). This permits the inclusion of the double-
+ quote and backslash characters inside string literals.
+
+ A similar escape mechanism is also used to represent non-printable
+ characters. "\n" represents the newline character (ASCII character
+ 10 decimal), "\r" represents the carriage-return character (ASCII
+ character 13 decimal), "\t" represents the tab character (ASCII
+ character 9 decimal), and "\f" represents the form-feed character
+ (ASCII character 12 decimal). A backslash character followed by a
+ newline suppresses all subsequent whitespace (including the newline)
+ up to the next non-whitespace character (this allows the continuation
+ of long string constants across lines). Un-escaped newline and
+ return characters are illegal inside string literals.
+
+ The constructs "\0o", "\0oo", and "\ooo" (where o represents any
+ octal digit) may be used to represent any non-NUL ASCII characters
+ with their corresponding octal values (thus, "\012" is the same as
+ "\n", "\101" is "A", and "\377" is the ASCII character 255 decimal).
+ However, the NUL character cannot be encoded in this manner; "\0",
+ "\00", and "\000" are converted to the strings "0", "00", and "000"
+ respectively. Similarly, all other escaped characters have the
+ leading backslash removed (e.g., "\a" becomes "a", and "\\" becomes
+ "\"). The following four strings are equivalent:
+
+ "this string contains a newline\n followed by one space."
+ "this string contains a newline\n \
+ followed by one space."
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 10]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ "this str\
+ ing contains a \
+ newline\n followed by one space."
+
+ "this string contains a newline\012\040followed by one space."
+
+4.3.2 String Expressions
+
+ In general, anywhere a quoted string literal is allowed, a `string
+ expression' can be used. A string expression constructs a string
+ from string constants, dereferenced attributes (described in Section
+ 4.4), and a string concatenation operator. String expressions may be
+ parenthesized.
+
+ <StrEx>:: <StrEx> "." <StrEx> /* String concatenation */
+ | <StringLiteral> /* Quoted string */
+ | "(" <StrEx> ")"
+ | <DerefAttribute> /* See Section 4.4 */
+ | "$" <StrEx> ; /* See Section 4.4 */
+
+ The "$" operator has higher precedence than the "." operator.
+
+4.4 Dereferenced Attributes
+
+ Action attributes provide the primary mechanism for applications to
+ pass information to assertions. Attribute names are strings from a
+ limited character set (<AttributeID> as defined in Section 3), and
+ attribute values are represented internally as strings. An attribute
+ is dereferenced simply by using its name. In general, KeyNote allows
+ the use of an attribute anywhere a string literal is permitted.
+
+ Attributes are dereferenced as strings by default. When required,
+ dereferenced attributes can be converted to integers or floating
+ point numbers with the type conversion operators "@" and "&". Thus,
+ an attribute named "foo" having the value "1.2" may be interpreted as
+ the string "1.2" (foo), the integer value 1 (@foo), or the floating
+ point value 1.2 (&foo).
+
+ Attributes converted to integer and floating point numbers are
+ represented according to the ANSI C `long' and `float' types,
+ respectively. In particular, integers range from -2147483648 to
+ 2147483647, whilst floats range from 1.17549435E-38F to
+ 3.40282347E+38F.
+
+ Any uninitialized attribute has the empty-string value when
+ dereferenced as a string and the value zero when dereferenced as an
+ integer or float.
+
+
+
+
+Blaze, et al. Informational [Page 11]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ Attribute names may be given literally or calculated from string
+ expressions and may be recursively dereferenced. In the simplest
+ case, an attribute is dereferenced simply by using its name outside
+ of quotes; e.g., the string value of the attribute named "foo" is by
+ reference to `foo' (outside of quotes). The "$<StrEx>" construct
+ dereferences the attribute named in the string expression <StrEx>.
+ For example, if the attribute named "foo" contains the string "bar",
+ the attribute named "bar" contains the string "xyz", and the
+ attribute "xyz" contains the string "qua", the following string
+ comparisons are all true:
+
+ foo == "bar"
+ $("foo") == "bar"
+ $foo == "xyz"
+ $(foo) == "xyz"
+ $$foo == "qua"
+
+ If <StrEx> evaluates to an invalid or uninitialized attribute name,
+ its value is considered to be the empty string (or zero if used as a
+ numeric).
+
+ The <DerefAttribute> token is defined as:
+
+ <DerefAttribute>:: <AttributeID> ;
+
+4.5 Principal Identifiers
+
+ Principals are represented as ASCII strings called `Principal
+ Identifiers'. Principal Identifiers may be arbitrary labels whose
+ structure is not interpreted by the KeyNote system or they may encode
+ cryptographic keys that are used by KeyNote for credential signature
+ verification.
+
+ <PrincipalIdentifier>:: <OpaqueID>
+ | <KeyID> ;
+
+ 4.5.1 Opaque Principal Identifiers
+
+ Principal Identifiers that are used by KeyNote only as labels are
+ said to be `opaque'. Opaque identifiers are encoded in assertions as
+ strings (see Section 4.3):
+
+ <OpaqueID>:: <StrEx> ;
+
+ Opaque identifier strings should not contain the ":" character.
+
+
+
+
+
+
+Blaze, et al. Informational [Page 12]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+4.5.2 Cryptographic Principal Identifiers
+
+ Principal Identifiers that are used by KeyNote as keys, e.g., to
+ verify credential signatures, are said to be `cryptographic'.
+ Cryptographic identifiers are also lexically encoded as strings:
+
+ <KeyID>:: <StrEx> ;
+
+ Unlike Opaque Identifiers, however, Cryptographic Identifier strings
+ have a special form. To be interpreted by KeyNote (for signature
+ verification), an identifier string should be of the form:
+
+ <IDString>:: <ALGORITHM>":"<ENCODEDBITS> ;
+
+ "ALGORITHM" is an ASCII substring that describes the algorithms to be
+ used in interpreting the key's bits. The ALGORITHM identifies the
+ major cryptographic algorithm (e.g., RSA [RSA78], DSA [DSA94], etc.),
+ structured format (e.g., PKCS1 [PKCS1]), and key bit encoding (e.g.,
+ HEX or BASE64). By convention, the ALGORITHM substring starts with
+ an alphabetic character and can contain letters, digits, underscores,
+ or dashes (i.e., it should match the regular expression "[a-zA-Z][a-
+ zA-Z0-9_-]*"). The IANA (or some other appropriate authority) will
+ provide a registry of reserved algorithm identifiers.
+
+ "ENCODEDBITS" is a substring of characters representing the key's
+ bits, the encoding and format of which depends on the ALGORITHM. By
+ convention, hexadecimal encoded keys use lower-case ASCII characters.
+
+ Cryptographic Principal Identifiers are converted to a normalized
+ canonical form for the purposes of any internal comparisons between
+ them; see Section 5.2.
+
+ Note that the keys used in examples throughout this document are
+ fictitious and generally much shorter than would be required for
+ security in practice.
+
+4.6 KeyNote Fields
+
+4.6.1 The KeyNote-Version Field
+
+ The KeyNote-Version field identifies the version of the KeyNote
+ assertion language under which the assertion was written. The
+ KeyNote-Version field is of the form
+
+ <VersionField>:: "KeyNote-Version:" <VersionString> ;
+ <VersionString>:: <StringLiteral>
+ | <IntegerLiteral> ;
+
+
+
+
+Blaze, et al. Informational [Page 13]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ where <VersionString> is an ASCII-encoded string. Assertions in
+ production versions of KeyNote use decimal digits in the version
+ representing the version number of the KeyNote language under which
+ they are to be interpreted. Assertions written to conform with this
+ document should be identified with the version string "2" (or the
+ integer 2). The KeyNote-Version field, if included, should appear
+ first.
+
+4.6.2 The Local-Constants Field
+
+ This field adds or overrides action attributes in the current
+ assertion only. This mechanism allows the use of short names for
+ (frequently lengthy) cryptographic principal identifiers, especially
+ to make the Licensees field more readable. The Local-Constants field
+ is of the form:
+
+ <LocalConstantsField>:: "Local-Constants:" <Assignments> ;
+ <Assignments>:: /* can be empty */
+ | <AttributeID> "=" <StringLiteral> <Assignments> ;
+
+ <AttributeID> is an attribute name from the action attribute
+ namespace as defined in Section 3. The name is available for use as
+ an attribute in any subsequent field. If the Local-Constants field
+ defines more than one identifier, it can occupy more than one line
+ and be indented. <StringLiteral> is a string literal as described in
+ Section 4.3. Attributes defined in the Local-Constants field
+ override any attributes with the same name passed in with the action
+ attribute set.
+
+ An attribute may be initialized at most once in the Local-Constants
+ field. If an attribute is initialized more than once in an
+ assertion, the entire assertion is considered invalid and is not
+ considered by the KeyNote compliance checker in evaluating queries.
+
+4.6.3 The Authorizer Field
+
+ The Authorizer identifies the Principal issuing the assertion. This
+ field is of the form
+
+ <AuthField>:: "Authorizer:" <AuthID> ;
+ <AuthID>:: <PrincipalIdentifier>
+ | <DerefAttribute> ;
+
+ The Principal Identifier may be given directly or by reference to the
+ attribute namespace (as defined in Section 4.4).
+
+
+
+
+
+
+Blaze, et al. Informational [Page 14]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+4.6.4 The Licensees Field
+
+ The Licensees field identifies the principals authorized by the
+ assertion. More than one principal can be authorized, and
+ authorization can be distributed across several principals through
+ the use of `and' and threshold constructs. This field is of the form
+
+ <LicenseesField>:: "Licensees:" <LicenseesExpr> ;
+
+ <LicenseesExpr>:: /* can be empty */
+ | <PrincExpr> ;
+
+ <PrincExpr>:: "(" <PrincExpr> ")"
+ | <PrincExpr> "&&" <PrincExpr>
+ | <PrincExpr> "||" <PrincExpr>
+ | <K>"-of(" <PrincList> ")" /* Threshold */
+ | <PrincipalIdentifier>
+ | <DerefAttribute> ;
+
+ <PrincList>:: <PrincipalIdentifier>
+ | <DerefAttribute>
+ | <PrincList> "," <PrincList> ;
+
+ <K>:: {Decimal number starting with a digit from 1 to 9} ;
+
+ The "&&" operator has higher precedence than the "||" operator. <K>
+ is an ASCII-encoded positive decimal integer. If a <PrincList>
+ contains fewer than <K> principals, the entire assertion is omitted
+ from processing.
+
+4.6.5 The Conditions Field
+
+ This field gives the `conditions' under which the Authorizer trusts
+ the Licensees to perform an action. `Conditions' are predicates that
+ operate on the action attribute set. The Conditions field is of the
+ form:
+
+ <ConditionsField>:: "Conditions:" <ConditionsProgram> ;
+
+ <ConditionsProgram>:: /* Can be empty */
+ | <Clause> ";" <ConditionsProgram> ;
+
+ <Clause>:: <Test> "->" "{" <ConditionsProgram> "}"
+ | <Test> "->" <Value>
+ | <Test> ;
+
+ <Value>:: <StrEx> ;
+
+
+
+
+Blaze, et al. Informational [Page 15]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ <Test>:: <RelExpr> ;
+
+ <RelExpr>:: "(" <RelExpr> ")" /* Parentheses */
+ | <RelExpr> "&&" <RelExpr> /* Logical AND */
+ | <RelExpr> "||" <RelExpr> /* Logical OR */
+ | "!" <RelExpr> /* Logical NOT */
+ | <IntRelExpr>
+ | <FloatRelExpr>
+ | <StringRelExpr>
+ | "true" /* case insensitive */
+ | "false" ; /* case insensitive */
+
+ <IntRelExpr>:: <IntEx> "==" <IntEx>
+ | <IntEx> "!=" <IntEx>
+ | <IntEx> "<" <IntEx>
+ | <IntEx> ">" <IntEx>
+ | <IntEx> "<=" <IntEx>
+ | <IntEx> ">=" <IntEx> ;
+
+ <FloatRelExpr>:: <FloatEx> "<" <FloatEx>
+ | <FloatEx> ">" <FloatEx>
+ | <FloatEx> "<=" <FloatEx>
+ | <FloatEx> ">=" <FloatEx> ;
+
+ <StringRelExpr>:: <StrEx> "==" <StrEx> /* String equality */
+ | <StrEx> "!=" <StrEx> /* String inequality */
+ | <StrEx> "<" <StrEx> /* Alphanum. comparisons */
+ | <StrEx> ">" <StrEx>
+ | <StrEx> "<=" <StrEx>
+ | <StrEx> ">=" <StrEx>
+ | <StrEx> "~=" <RegExpr> ; /* Reg. expr. matching */
+
+ <IntEx>:: <IntEx> "+" <IntEx> /* Integer */
+ | <IntEx> "-" <IntEx>
+ | <IntEx> "*" <IntEx>
+ | <IntEx> "/" <IntEx>
+ | <IntEx> "%" <IntEx>
+ | <IntEx> "^" <IntEx> /* Exponentiation */
+ | "-" <IntEx>
+ | "(" <IntEx> ")"
+ | <IntegerLiteral>
+ | "@" <StrEx> ;
+
+ <FloatEx>:: <FloatEx> "+" <FloatEx> /* Floating point */
+ | <FloatEx> "-" <FloatEx>
+ | <FloatEx> "*" <FloatEx>
+ | <FloatEx> "/" <FloatEx>
+ | <FloatEx> "^" <FloatEx> /* Exponentiation */
+
+
+
+Blaze, et al. Informational [Page 16]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ | "-" <FloatEx>
+ | "(" <FloatEx> ")"
+ | <FloatLiteral>
+ | "&" <StrEx> ;
+
+ <IntegerLiteral>:: {Decimal number of at least one digit} ;
+ <FloatLiteral>:: <IntegerLiteral>"."<IntegerLiteral> ;
+
+ <StringLiteral> is a quoted string as defined in Section 4.3
+ <AttributeID> is defined in Section 3.
+
+ The operation precedence classes are (from highest to lowest):
+ { (, ) }
+ {unary -, @, &, $}
+ {^}
+ {*, /, %}
+ {+, -, .}
+
+ Operators in the same precedence class are evaluated left-to-right.
+
+ Note the inability to test for floating point equality, as most
+ floating point implementations (hardware or otherwise) do not
+ guarantee accurate equality testing.
+
+ Also note that integer and floating point expressions can only be
+ used within clauses of condition fields, but in no other KeyNote
+ field.
+
+ The keywords "true" and "false" are not reserved; they can be used as
+ attribute or principal identifier names (although this practice makes
+ assertions difficult to understand and is discouraged).
+
+ <RegExpr> is a standard regular expression, conforming to the POSIX
+ 1003.2 regular expression syntax and semantics.
+
+ Any string expression (or attribute) containing the ASCII
+ representation of a numeric value can be converted to an integer or
+ float with the use of the "@" and "&" operators, respectively. Any
+ fractional component of an attribute value dereferenced as an integer
+ is rounded down. If an attribute dereferenced as a number cannot be
+ properly converted (e.g., it contains invalid characters or is empty)
+ its value is considered to be zero.
+
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 17]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+4.6.6 The Comment Field
+
+ The Comment field allows assertions to be annotated with information
+ describing their purpose. It is of the form
+
+ <CommentField>:: "Comment:" <text> ;
+
+ No interpretation of the contents of this field is performed by
+ KeyNote. Note that this is one of two mechanisms for including
+ comments in KeyNote assertions; comments can also be inserted
+ anywhere in an assertion's body by preceding them with the "#"
+ character (except inside string literals).
+
+4.6.7 The Signature Field
+
+ The Signature field identifies a signed assertion and gives the
+ encoded digital signature of the principal identified in the
+ Authorizer field. The Signature field is of the form:
+
+ <SignatureField>:: "Signature:" <Signature> ;
+
+ <Signature>:: <StrEx> ;
+
+ The <Signature> string should be of the form:
+
+ <IDString>:: <ALGORITHM>":"<ENCODEDBITS> ;
+
+ The formats of the "ALGORITHM" and "ENCODEDBITS" substrings are as
+ described for Cryptographic Principal Identifiers in Section 4.4.2
+ The algorithm name should be the same as that of the principal
+ appearing in the Authorizer field. The IANA (or some other suitable
+ authority) will provide a registry of reserved names. It is not
+ necessary that the encodings of the signature and the authorizer key
+ be the same.
+
+ If the signature field is included, the principal named in the
+ Authorizer field must be a Cryptographic Principal Identifier, the
+ algorithm must be known to the KeyNote implementation, and the
+ signature must be correct for the assertion body and authorizer key.
+
+ The signature is computed over the assertion text, beginning with the
+ first field (including the field identifier string), up to (but not
+ including) the Signature field identifier. The newline preceding the
+ signature field identifier is the last character included in
+ signature calculation. The signature is always the last field in a
+ KeyNote assertion. Text following this field is not considered part
+ of the assertion.
+
+
+
+
+Blaze, et al. Informational [Page 18]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ The algorithms for computing and verifying signatures must be
+ configured into each KeyNote implementation and are defined and
+ documented separately.
+
+ Note that all signatures used in examples in this document are
+ fictitious and generally much shorter than would be required for
+ security in practice.
+
+5. Query Evaluation Semantics
+
+ The KeyNote compliance checker finds and returns the Policy
+ Compliance Value of queries, as defined in Section 5.3, below.
+
+5.1 Query Parameters
+
+ A KeyNote query has four parameters:
+
+ * The identifier of the principal(s) requesting the action.
+
+ * The action attribute set describing the action.
+
+ * The set of compliance values of interest to the application,
+ ordered from _MIN_TRUST to _MAX_TRUST
+
+ * The policy and credential assertions that should be included in
+ the evaluation.
+
+ The mechanism for passing these parameters to the KeyNote evaluator
+ is application dependent. In particular, an evaluator might provide
+ for some parameters to be passed explicitly, while others are looked
+ up externally (e.g., credentials might be looked up in a network-
+ based distribution system), while still others might be requested
+ from the application as needed by the evaluator, through a `callback'
+ mechanism (e.g., for attribute values that represent values from
+ among a very large namespace).
+
+5.1.1 Action Requester
+
+ At least one Principal must be identified in each query as the
+ `requester' of the action. Actions may be requested by several
+ principals, each considered to have individually requested it. This
+ allows policies that require multiple authorizations, e.g., `two
+ person control'. The set of authorizing principals is made available
+ in the special attribute "_ACTION_AUTHORIZERS"; if several principals
+ are authorizers, their identifiers are separated with commas.
+
+
+
+
+
+
+Blaze, et al. Informational [Page 19]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+5.1.2 Ordered Compliance Value Set
+
+ The set of compliance values of interest to an application (and their
+ relative ranking to one another) is determined by the invoking
+ application and passed to the KeyNote evaluator as a parameter of the
+ query. In many applications, this will be Boolean, e.g., the ordered
+ sets {FALSE, TRUE} or {REJECT, APPROVE}. Other applications may
+ require a range of possible values, e.g., {No_Access, Limited_Access,
+ Full_Access}. Note that applications should include in this set only
+ compliance value names that are actually returned by the assertions.
+
+ The lowest-order and highest-order compliance value strings given in
+ the query are available in the special attributes named "_MIN_TRUST"
+ and "_MAX_TRUST", respectively. The complete set of query compliance
+ values is made available in ascending order (from _MIN_TRUST to
+ _MAX_TRUST) in the special attribute named "_VALUES". Values are
+ separated with commas; applications that use assertions that make use
+ of the _VALUES attribute should therefore avoid the use of compliance
+ value strings that themselves contain commas.
+
+5.2 Principal Identifier Normalization
+
+ Principal identifier comparisons among Cryptographic Principal
+ Identifiers (that represent keys) in the Authorizer and Licensees
+ fields or in an action's direct authorizers are performed after
+ normalizing them by conversion to a canonical form.
+
+ Every cryptographic algorithm used in KeyNote defines a method for
+ converting keys to their canonical form and that specifies how the
+ comparison for equality of two keys is performed. If the algorithm
+ named in the identifier is unknown to KeyNote, the identifier is
+ treated as opaque.
+
+ Opaque identifiers are compared as case-sensitive strings.
+
+ Notice that use of opaque identifiers in the Authorizer field
+ requires that the assertion's integrity be locally trusted (since it
+ cannot be cryptographically verified by the compliance checker).
+
+5.3 Policy Compliance Value Calculation
+
+ The Policy Compliance Value of a query is the Principal Compliance
+ Value of the principal named "POLICY". This value is defined as
+ follows:
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 20]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+5.3.1 Principal Compliance Value
+
+ The Compliance Value of a principal <X> is the highest order
+ (maximum) of:
+
+ - the Direct Authorization Value of principal <X>; and
+
+ - the Assertion Compliance Values of all assertions identifying
+ <X> in the Authorizer field.
+
+5.3.2 Direct Authorization Value
+
+ The Direct Authorization Value of a principal <X> is _MAX_TRUST if
+ <X> is listed in the query as an authorizer of the action.
+ Otherwise, the Direct Authorization Value of <X> is _MIN_TRUST.
+
+5.3.3 Assertion Compliance Value
+
+ The Assertion Compliance Value of an assertion is the lowest order
+ (minimum) of the assertion's Conditions Compliance Value and its
+ Licensee Compliance Value.
+
+5.3.4 Conditions Compliance Value
+
+ The Conditions Compliance Value of an assertion is the highest-order
+ (maximum) value among all successful clauses listed in the conditions
+ section.
+
+ If no clause's test succeeds or the Conditions field is empty, an
+ assertion's Conditions Compliance Value is considered to be the
+ _MIN_TRUST value, as defined Section 5.1.
+
+ If an assertion's Conditions field is missing entirely, its
+ Conditions Compliance Value is considered to be the _MAX_TRUST value,
+ as defined in Section 5.1.
+
+ The set of successful test clause values is calculated as follows:
+
+ Recall from the grammar of section 4.6.5 that each clause in the
+ conditions section has two logical parts: a `test' and an optional
+ `value', which, if present, is separated from the test with the "->"
+ token. The test subclause is a predicate that either succeeds
+ (evaluates to logical `true') or fails (evaluates to logical
+ `false'). The value subclause is a string expression that evaluates
+ to one value from the ordered set of compliance values given with the
+ query. If the value subclause is missing, it is considered to be
+ _MAX_TRUST. That is, the clause
+
+
+
+
+Blaze, et al. Informational [Page 21]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ foo=="bar";
+
+ is equivalent to
+
+ foo=="bar" -> _MAX_TRUST;
+
+ If the value component of a clause is present, in the simplest case
+ it contains a string expression representing a possible compliance
+ value. For example, consider an assertion with the following
+ Conditions field:
+
+ Conditions:
+ @user_id == 0 -> "full_access"; # clause (1)
+ @user_id < 1000 -> "user_access"; # clause (2)
+ @user_id < 10000 -> "guest_access"; # clause (3)
+ user_name == "root" -> "full_access"; # clause (4)
+
+ Here, if the value of the "user_id" attribute is "1073" and the
+ "user_name" attribute is "root", the possible compliance value set
+ would contain the values "guest_access" (by clause (3)) and
+ "full_access" (by clause (4)). If the ordered set of compliance
+ values given in the query (in ascending order) is {"no_access",
+ "guest_access", "user_access", "full_access"}, the Conditions
+ Compliance Value of the assertion would be "full_access" (because
+ "full_access" has a higher-order value than "guest_access"). If the
+ "user_id" attribute had the value "19283" and the "user_name"
+ attribute had the value "nobody", no clause would succeed and the
+ Conditions Compliance Value would be "no_access", which is the
+ lowest-order possible value (_MIN_TRUST).
+
+ If a clause lists an explicit value, its value string must be named
+ in the query ordered compliance value set. Values not named in the
+ query compliance value set are considered equivalent to _MIN_TRUST.
+
+ The value component of a clause can also contain recursively-nested
+ clauses. Recursively-nested clauses are evaluated only if their
+ parent test is true. That is,
+
+ a=="b" -> { b=="c" -> "value1";
+ d=="e" -> "value2";
+ true -> "value3"; } ;
+
+ is equivalent to
+
+ (a=="b") && (b=="c") -> "value1";
+ (a=="b") && (d=="e") -> "value2";
+ (a=="b") -> "value3";
+
+
+
+
+Blaze, et al. Informational [Page 22]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ String comparisons are case-sensitive.
+
+ A regular expression comparison ("~=") is considered true if the
+ left-hand-side string expression matches the right-hand-side regular
+ expression. If the POSIX regular expression group matching scheme is
+ used, the number of groups matched is placed in the temporary meta-
+ attribute "_0" (dereferenced as _0), and each match is placed in
+ sequence in the temporary attributes (_1, _2, ..., _N). These
+ match-attributes' values are valid only within subsequent references
+ made within the same clause. Regular expression evaluation is case-
+ sensitive.
+
+ A runtime error occurring in the evaluation of a test, such as
+ division by zero or an invalid regular expression, causes the test to
+ be considered false. For example:
+
+ foo == "bar" -> {
+ @a == 1/0 -> "oneval"; # subclause 1
+ @a == 2 -> "anotherval"; # subclause 2
+ };
+
+ Here, subclause 1 triggers a runtime error. Subclause 1 is therefore
+ false (and has the value _MIN_TRUST). Subclause 2, however, would be
+ evaluated normally.
+
+ An invalid <RegExpr> is considered a runtime error and causes the
+ test in which it occurs to be considered false.
+
+5.3.5 Licensee Compliance Value
+
+ The Licensee Compliance Value of an assertion is calculated by
+ evaluating the expression in the Licensees field, based on the
+ Principal Compliance Value of the principals named there.
+
+ If an assertion's Licensees field is empty, its Licensee Compliance
+ Value is considered to be _MIN_TRUST. If an assertion's Licensees
+ field is missing altogether, its Licensee Compliance Value is
+ considered to be _MAX_TRUST.
+
+ For each principal named in the Licensees field, its Principal
+ Compliance Value is substituted for its name. If no Principal
+ Compliance Value can be found for some named principal, its name is
+ substituted with the _MIN_TRUST value.
+
+ The licensees expression (as defined in Section 4.6.4) is evaluated
+ as follows:
+
+
+
+
+
+Blaze, et al. Informational [Page 23]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ * A "(...)" expression has the value of the enclosed subexpression.
+
+ * A "&&" expression has the lower-order (minimum) of its two
+ subexpression values.
+
+ * A "||" expression has the higher-order (maximum) of its two
+ subexpression values.
+
+ * A "<K>-of(<List>)" expression has the K-th highest order
+ compliance value listed in <list>. Values that appear multiple
+ times are counted with multiplicity. For example, if K = 3 and
+ the orders of the listed compliance values are (0, 1, 2, 2, 3),
+ the value of the expression is the compliance value of order 2.
+
+ For example, consider the following Licensees field:
+
+ Licensees: ("alice" && "bob") || "eve"
+
+ If the Principal Compliance Value is "yes" for principal "alice",
+ "no" for principal "bob", and "no" for principal "eve", and "yes" is
+ higher order than "no" in the query's Compliance Value Set, then the
+ resulting Licensee Compliance Value is "no".
+
+ Observe that if there are exactly two possible compliance values
+ (e.g., "false" and "true"), the rules of Licensee Compliance Value
+ resolution reduce exactly to standard Boolean logic.
+
+5.4 Assertion Management
+
+ Assertions may be either signed or unsigned. Only signed assertions
+ should be used as credentials or transmitted or stored on untrusted
+ media. Unsigned assertions should be used only to specify policy and
+ for assertions whose integrity has already been verified as
+ conforming to local policy by some mechanism external to the KeyNote
+ system itself (e.g., X.509 certificates converted to KeyNote
+ assertions by a trusted conversion program).
+
+ Implementations that permit signed credentials to be verified by the
+ KeyNote compliance checker generally provide two `channels' through
+ which applications can make assertions available. Unsigned,
+ locally-trusted assertions are provided over a `trusted' interface,
+ while signed credentials are provided over an `untrusted' interface.
+ The KeyNote compliance checker verifies correct signatures for all
+ assertions submitted over the untrusted interface. The integrity of
+ KeyNote evaluation requires that only assertions trusted as
+ reflecting local policy are submitted to KeyNote via the trusted
+ interface.
+
+
+
+
+Blaze, et al. Informational [Page 24]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ Note that applications that use KeyNote exclusively as a local policy
+ specification mechanism need use only trusted assertions. Other
+ applications might need only a small number of infrequently changed
+ trusted assertions to `bootstrap' a policy whose details are
+ specified in signed credentials issued by others and submitted over
+ the untrusted interface.
+
+5.5 Implementation Issues
+
+ Informally, the semantics of KeyNote evaluation can be thought of as
+ involving the construction a directed graph of KeyNote assertions
+ rooted at a POLICY assertion that connects with at least one of the
+ principals that requested the action.
+
+ Delegation of some authorization from principal <A> to a set of
+ principals <B> is expressed as an assertion with principal <A> given
+ in the Authorizer field, principal set <B> given in the Licensees
+ field, and the authorization to be delegated encoded in the
+ Conditions field. How the expression digraph is constructed is
+ implementation-dependent and implementations may use different
+ algorithms for optimizing the graph's construction. Some
+ implementations might use a `bottom up' traversal starting at the
+ principals that requested the action, others might follow a `top
+ down' approach starting at the POLICY assertions, and still others
+ might employ other heuristics entirely.
+
+ Implementations are encouraged to employ mechanisms for recording
+ exceptions (such as division by zero or syntax error), and reporting
+ them to the invoking application if requested. Such mechanisms are
+ outside the scope of this document.
+
+6. Examples
+
+ In this section, we give examples of KeyNote assertions that might be
+ used in hypothetical applications. These examples are intended
+ primarily to illustrate features of KeyNote assertion syntax and
+ semantics, and do not necessarily represent the best way to integrate
+ KeyNote into applications.
+
+ In the interest of readability, we use much shorter keys than would
+ ordinarily be used in practice. Note that the Signature fields in
+ these examples do not represent the result of any real signature
+ calculation.
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 25]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ 1. TRADITIONAL CA / EMAIL
+
+ A. A policy unconditionally authorizing RSA key abc123 for all
+ actions. This essentially defers the ability to specify
+ policy to the holder of the secret key corresponding to
+ abc123:
+
+ Authorizer: "POLICY"
+ Licensees: "RSA:abc123"
+
+ B. A credential assertion in which RSA Key abc123 trusts either
+ RSA key 4401ff92 (called `Alice') or DSA key d1234f (called
+ `Bob') to perform actions in which the "app_domain" is
+ "RFC822-EMAIL", where the "address" matches the regular
+ expression "^.*@keynote\.research\.att\.com$". In other
+ words, abc123 trusts Alice and Bob as certification
+ authorities for the keynote.research.att.com domain.
+
+ KeyNote-Version: 2
+ Local-Constants: Alice="DSA:4401ff92" # Alice's key
+ Bob="RSA:d1234f" # Bob's key
+ Authorizer: "RSA:abc123"
+ Licensees: Alice || Bob
+ Conditions: (app_domain == "RFC822-EMAIL") &&
+ (address ~= # only applies to one domain
+ "^.*@keynote\\.research\\.att\\.com$");
+ Signature: "RSA-SHA1:213354f9"
+
+ C. A certificate credential for a specific user whose email
+ address is mab@keynote.research.att.com and whose name, if
+ present, must be "M. Blaze". The credential was issued by the
+ `Alice' authority (whose key is certified in Example B
+ above):
+
+ KeyNote-Version: 2
+ Authorizer: "DSA:4401ff92" # the Alice CA
+ Licensees: "DSA:12340987" # mab's key
+ Conditions: ((app_domain == "RFC822-EMAIL") &&
+ (name == "M. Blaze" || name == "") &&
+ (address == "mab@keynote.research.att.com"));
+ Signature: "DSA-SHA1:ab23487"
+
+
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 26]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ D. Another certificate credential for a specific user, also
+ issued by the `Alice' authority. This example allows three
+ different keys to sign as jf@keynote.research.att.com (each
+ for a different cryptographic algorithm). This is, in
+ effect, three credentials in one:
+
+ KeyNote-Version: "2"
+ Authorizer: "DSA:4401ff92" # the Alice CA
+ Licensees: "DSA:abc991" || # jf's DSA key
+ "RSA:cde773" || # jf's RSA key
+ "BFIK:fd091a" # jf's BFIK key
+ Conditions: ((app_domain == "RFC822-EMAIL") &&
+ (name == "J. Feigenbaum" || name == "") &&
+ (address == "jf@keynote.research.att.com"));
+ Signature: "DSA-SHA1:8912aa"
+
+ Observe that under policy A and credentials B, C and D, the
+ following action attribute sets are accepted (they return
+ _MAX_TRUST):
+
+ _ACTION_AUTHORIZERS = "dsa:12340987"
+ app_domain = "RFC822-EMAIL"
+ address = "mab@keynote.research.att.com"
+ and
+ _ACTION_AUTHORIZERS = "dsa:12340987"
+ app_domain = "RFC822-EMAIL"
+ address = "mab@keynote.research.att.com"
+ name = "M. Blaze"
+
+ while the following are not accepted (they return
+ _MIN_TRUST):
+
+ _ACTION_AUTHORIZERS = "dsa:12340987"
+ app_domain = "RFC822-EMAIL"
+ address = "angelos@dsl.cis.upenn.edu"
+ and
+ _ACTION_AUTHORIZERS = "dsa:abc991"
+ app_domain = "RFC822-EMAIL"
+ address = "mab@keynote.research.att.com"
+ name = "M. Blaze"
+ and
+ _ACTION_AUTHORIZERS = "dsa:12340987"
+ app_domain = "RFC822-EMAIL"
+ address = "mab@keynote.research.att.com"
+ name = "J. Feigenbaum"
+
+
+
+
+
+
+Blaze, et al. Informational [Page 27]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ 2. WORKFLOW/ELECTRONIC COMMERCE
+
+ E. A policy that delegates authority for the "SPEND" application
+ domain to RSA key dab212 when the amount given in the
+ "dollars" attribute is less than 10000.
+
+ Authorizer: "POLICY"
+ Licensees: "RSA:dab212" # the CFO's key
+ Conditions: (app_domain=="SPEND") && (@dollars < 10000);
+
+ F. RSA key dab212 delegates authorization to any two signers,
+ from a list, one of which must be DSA key feed1234 in the
+ "SPEND" application when @dollars < 7500. If the amount in
+ @dollars is 2500 or greater, the request is approved but
+ logged.
+
+ KeyNote-Version: 2
+ Comment: This credential specifies a spending policy
+ Authorizer: "RSA:dab212" # the CFO
+ Licensees: "DSA:feed1234" && # The vice president
+ ("RSA:abc123" || # middle manager #1
+ "DSA:bcd987" || # middle manager #2
+ "DSA:cde333" || # middle manager #3
+ "DSA:def975" || # middle manager #4
+ "DSA:978add") # middle manager #5
+ Conditions: (app_domain=="SPEND") # note nested clauses
+ -> { (@(dollars) < 2500)
+ -> _MAX_TRUST;
+ (@(dollars) < 7500)
+ -> "ApproveAndLog";
+ };
+ Signature: "RSA-SHA1:9867a1"
+
+ G. According to this policy, any two signers from the list of
+ managers will do if @(dollars) < 1000:
+
+ KeyNote-Version: 2
+ Authorizer: "POLICY"
+ Licensees: 2-of("DSA:feed1234", # The VP
+ "RSA:abc123", # Middle management clones
+ "DSA:bcd987",
+ "DSA:cde333",
+ "DSA:def975",
+ "DSA:978add")
+ Conditions: (app_domain=="SPEND") &&
+ (@(dollars) < 1000);
+
+
+
+
+
+Blaze, et al. Informational [Page 28]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ H. A credential from dab212 with a similar policy, but only one
+ signer is required if @(dollars) < 500. A log entry is made if
+ the amount is at least 100.
+
+ KeyNote-Version: 2
+ Comment: This one credential is equivalent to six separate
+ credentials, one for each VP and middle manager.
+ Individually, they can spend up to $500, but if
+ it's $100 or more, we log it.
+ Authorizer: "RSA:dab212" # From the CFO
+ Licensees: "DSA:feed1234" || # The VP
+ "RSA:abc123" || # The middle management clones
+ "DSA:bcd987" ||
+ "DSA:cde333" ||
+ "DSA:def975" ||
+ "DSA:978add"
+ Conditions: (app_domain="SPEND") # nested clauses
+ -> { (@(dollars) < 100) -> _MAX_TRUST;
+ (@(dollars) < 500) -> "ApproveAndLog";
+ };
+ Signature: "RSA-SHA1:186123"
+
+ Assume a query in which the ordered set of Compliance Values is
+ {"Reject", "ApproveAndLog", "Approve"}. Under policies E and G,
+ and credentials F and H, the Policy Compliance Value is
+ "Approve" (_MAX_TRUST) when:
+
+ _ACTION_AUTHORIZERS = "DSA:978add"
+ app_domain = "SPEND"
+ dollars = "45"
+ unmentioned_attribute = "whatever"
+ and
+ _ACTION_AUTHORIZERS = "RSA:abc123,DSA:cde333"
+ app_domain = "SPEND"
+ dollars = "550"
+
+ The following return "ApproveAndLog":
+
+ _ACTION_AUTHORIZERS = "DSA:feed1234,DSA:cde333"
+ app_domain = "SPEND"
+ dollars = "5500"
+ and
+ _ACTION_AUTHORIZERS = "DSA:cde333"
+ app_domain = "SPEND"
+ dollars = "150"
+
+
+
+
+
+
+Blaze, et al. Informational [Page 29]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ However, the following return "Reject" (_MIN_TRUST):
+
+ _ACTION_AUTHORIZERS = "DSA:def975"
+ app_domain = "SPEND"
+ dollars = "550"
+ and
+ _ACTION_AUTHORIZERS = "DSA:cde333,DSA:978add"
+ app_domain = "SPEND"
+ dollars = "5500"
+
+7. Trust-Management Architecture
+
+ KeyNote provides a simple mechanism for describing security policy
+ and representing credentials. It differs from traditional
+ certification systems in that the security model is based on binding
+ keys to predicates that describe what the key is authorized by policy
+ to do, rather than on resolving names. The infrastructure and
+ architecture to support a KeyNote system is therefore rather
+ different from that required for a name-based certification scheme.
+ The KeyNote trust-management architecture is based on that of
+ PolicyMaker [BFL96,BFS98].
+
+ It is important to understand the separation between the
+ responsibilities of the KeyNote system and those of the application
+ and other support infrastructure. A KeyNote compliance checker will
+ determine, based on policy and credential assertions, whether a
+ proposed action is permitted according to policy. The usefulness of
+ KeyNote output as a policy enforcement mechanism depends on a number
+ of factors:
+
+ * The action attributes and the assignment of their values must
+ reflect accurately the security requirements of the application.
+ Identifying the attributes to include in the action attribute set
+ is perhaps the most important task in integrating KeyNote into new
+ applications.
+
+ * The policy of the application must be correct and well-formed. In
+ particular, trust must be deferred only to principals that should,
+ in fact, be trusted by the application.
+
+ * The application itself must be trustworthy. KeyNote does not
+ directly enforce policy; it only provides advice to the
+ applications that call it. In other words, KeyNote assumes that
+ the application itself is trusted and that the policy assertions
+ it specifies are correct. Nothing prevents an application from
+ submitting misleading or incorrect assertions to KeyNote or from
+ ignoring KeyNote altogether.
+
+
+
+
+Blaze, et al. Informational [Page 30]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ It is also up to the application (or some service outside KeyNote) to
+ select the appropriate credentials and policy assertions with which
+ to run a particular query. Note, however, that even if inappropriate
+ credentials are provided to KeyNote, this cannot result in the
+ approval of an illegal action (as long as the policy assertions are
+ correct and the the action attribute set itself is correctly passed
+ to KeyNote).
+
+ KeyNote is monotonic; adding an assertion to a query can never result
+ in a query's having a lower compliance value that it would have had
+ without the assertion. Omitting credentials may, of course, result
+ in legal actions being disallowed. Selecting appropriate credentials
+ (e.g., from a distributed database or `key server') is outside the
+ scope of the KeyNote language and may properly be handled by a remote
+ client making a request, by the local application receiving the
+ request, or by a network-based service, depending on the application.
+
+ In addition, KeyNote does not itself provide credential revocation
+ services, although credentials can be written to expire after some
+ date by including a date test in the predicate. Applications that
+ require credential revocation can use KeyNote to help specify and
+ implement revocation policies. A future document will address
+ expiration and revocation services in KeyNote.
+
+ Because KeyNote is designed to support a variety of applications,
+ several different application interfaces to a KeyNote implementation
+ are possible. In its simplest form, a KeyNote compliance checker
+ would exist as a stand-alone application, with other applications
+ calling it as needed. KeyNote might also be implemented as a library
+ to which applications are linked. Finally, a KeyNote implementation
+ might run as a local trusted service, with local applications
+ communicating their queries via some interprocess communication
+ mechanism.
+
+8. Security Considerations
+
+ Trust management is itself a security service. Bugs in or incorrect
+ use of a KeyNote compliance checker implementation could have
+ security implications for any applications in which it is used.
+
+9. IANA Considerations
+
+ This document contains three identifiers to be maintained by the
+ IANA. This section explains the criteria to be used by the IANA to
+ assign additional identifiers in each of these lists.
+
+
+
+
+
+
+Blaze, et al. Informational [Page 31]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+9.1 app_domain Identifiers
+
+ The only thing required of IANA on allocation of these identifiers is
+ that they be unique strings. These strings are case-sensitive for
+ KeyNote purposes, however it is strongly recommended that IANA assign
+ different capitalizations of the same string only to the same
+ organization.
+
+9.2 Public Key Format Identifiers
+
+ These strings uniquely identify a public key algorithm as used in the
+ KeyNote system for representing keys. Requests for assignment of new
+ identifiers must be accompanied by an RFC-style document that
+ describes the details of this encoding. Example strings are "rsa-
+ hex:" and "dsa-base64:". These strings are case-insensitive.
+
+9.3 Signature Algorithm Identifiers
+
+ These strings uniquely identify a public key algorithm as used in the
+ KeyNote system for representing public key signatures. Requests for
+ assignment of new identifiers must be accompanied by an RFC-style
+ document that describes the details of this encoding. Example strings
+ are "sig-rsa-md5-hex:" and "sig-dsa-sha1-base64:". Note that all
+ such strings must begin with the prefix "sig-". These strings are
+ case-insensitive.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 32]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+A. Acknowledgments
+
+ We thank Lorrie Faith Cranor (AT&T Labs - Research) and Jonathan M.
+ Smith (University of Pennsylvania) for their suggestions and comments
+ on earlier versions of this document.
+
+B. Full BNF (alphabetical order)
+
+ <ALGORITHM>:: {see section 4.4.2} ;
+
+ <Assertion>:: <VersionField>? <AuthField> <LicenseesField>?
+ <LocalConstantsField>? <ConditionsField>?
+ <CommentField>? <SignatureField>? ;
+
+ <Assignments>:: "" | <AttributeID> "=" <StringLiteral> <Assignments>
+ ;
+
+ <AttributeID>:: {Any string starting with a-z, A-Z, or the
+ underscore character, followed by any number of
+ a-z, A-Z, 0-9, or underscore characters} ;
+
+ <AuthField>:: "Authorizer:" <AuthID> ;
+
+ <AuthID>:: <PrincipalIdentifier> | <DerefAttribute> ;
+
+ <Clause>:: <Test> "->" "{" <ConditionsProgram> "}"
+ | <Test> "->" <Value> | <Test> ;
+
+ <Comment>:: "#" {ASCII characters} ;
+
+ <CommentField>:: "Comment:" {Free-form text} ;
+
+ <ConditionsField>:: "Conditions:" <ConditionsProgram> ;
+
+ <ConditionsProgram>:: "" | <Clause> ";" <ConditionsProgram> ;
+
+ <DerefAttribute>:: <AttributeID> ;
+
+ <ENCODEDBITS>:: {see section 4.4.2} ;
+
+ <FloatEx>:: <FloatEx> "+" <FloatEx> | <FloatEx> "-" <FloatEx>
+ | <FloatEx> "*" <FloatEx> | <FloatEx> "/" <FloatEx>
+ | <FloatEx> "^" <FloatEx> | "-" <FloatEx>
+ | "(" <FloatEx> ")" | <FloatLiteral> | "&" <StrEx> ;
+
+ <FloatRelExpr>:: <FloatEx> "<" <FloatEx> | <FloatEx> ">" <FloatEx>
+ | <FloatEx> "<=" <FloatEx>
+ | <FloatEx> ">=" <FloatEx> ;
+
+
+
+Blaze, et al. Informational [Page 33]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ <FloatLiteral>:: <IntegerLiteral>"."<IntegerLiteral> ;
+
+ <IDString>:: <ALGORITHM>":"<ENCODEDBITS> ;
+
+ <IntegerLiteral>:: {Decimal number of at least one digit} ;
+
+ <IntEx>:: <IntEx> "+" <IntEx> | <IntEx> "-" <IntEx>
+ | <IntEx> "*" <IntEx> | <IntEx> "/" <IntEx>
+ | <IntEx> "%" <IntEx> | <IntEx> "^" <IntEx>
+ | "-" <IntEx> | "(" <IntEx> ")" | <IntegerLiteral>
+ | "@" <StrEx> ;
+
+ <IntRelExpr>:: <IntEx> "==" <IntEx> | <IntEx> "!=" <IntEx>
+ | <IntEx> "<" <IntEx> | <IntEx> ">" <IntEx>
+ | <IntEx> "<=" <IntEx> | <IntEx> ">=" <IntEx> ;
+
+ <K>:: {Decimal number starting with a digit from 1 to 9} ;
+
+ <KeyID>:: <StrEx> ;
+
+ <LicenseesExpr>:: "" | <PrincExpr> ;
+
+ <LicenseesField>:: "Licensees:" <LicenseesExpr> ;
+
+ <LocalConstantsField>:: "Local-Constants:" <Assignments> ;
+
+ <OpaqueID>:: <StrEx> ;
+
+ <PrincExpr>:: "(" <PrincExpr> ")" | <PrincExpr> "&&" <PrincExpr>
+ | <PrincExpr> "||" <PrincExpr>
+ | <K>"-of(" <PrincList> ")" | <PrincipalIdentifier>
+ | <DerefAttribute> ;
+
+ <PrincipalIdentifier>:: <OpaqueID> | <KeyID> ;
+
+ <PrincList>:: <PrincipalIdentifier> | <DerefAttribute>
+ | <PrincList> "," <PrincList> ;
+
+ <RegExpr>:: {POSIX 1003.2 Regular Expression}
+
+ <RelExpr>:: "(" <RelExpr> ")" | <RelExpr> "&&" <RelExpr>
+ | <RelExpr> "||" <RelExpr> | "!" <RelExpr>
+ | <IntRelExpr> | <FloatRelExpr> | <StringRelExpr>
+ | "true" | "false" ;
+
+ <Signature>:: <StrEx> ;
+
+ <SignatureField>:: "Signature:" <Signature> ;
+
+
+
+Blaze, et al. Informational [Page 34]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ <StrEx>:: <StrEx> "." <StrEx> | <StringLiteral> | "(" <StrEx> ")"
+ | <DerefAttribute> | "$" <StrEx> ;
+
+ <StringLiteral>:: {see section 4.3.1} ;
+
+ <StringRelExpr>:: <StrEx> "==" <StrEx> | <StrEx> "!=" <StrEx>
+ | <StrEx> "<" <StrEx> | <StrEx> ">" <StrEx>
+ | <StrEx> "<=" <StrEx> | <StrEx> ">=" <StrEx>
+ | <StrEx> "~=" <RegExpr> ;
+
+ <Test>:: <RelExpr> ;
+
+ <Value>:: <StrEx> ;
+
+ <VersionField>:: "KeyNote-Version:" <VersionString> ;
+
+ <VersionString>:: <StringLiteral> | <IntegerLiteral> ;
+
+References
+
+ [BFL96] M. Blaze, J. Feigenbaum, J. Lacy. Decentralized Trust
+ Management. Proceedings of the 17th IEEE Symp. on Security
+ and Privacy. pp 164-173. IEEE Computer Society, 1996.
+ Available at
+ <ftp://ftp.research.att.com/dist/mab/policymaker.ps>
+
+ [BFS98] M. Blaze, J. Feigenbaum, M. Strauss. Compliance-Checking in
+ the PolicyMaker Trust-Management System. Proc. 2nd Financial
+ Crypto Conference. Anguilla 1998. LNCS #1465, pp 251-265,
+ Springer-Verlag, 1998. Available at
+ <ftp://ftp.research.att.com/dist/mab/pmcomply.ps>
+
+ [Bla99] M. Blaze, J. Feigenbaum, J. Ioannidis, A. Keromytis. The
+ Role of Trust Management in Distributed System Security.
+ Chapter in Secure Internet Programming: Security Issues for
+ Mobile and Distributed Objects (Vitek and Jensen, eds.).
+ Springer-Verlag, 1999. Available at
+ <ftp://ftp.research.att.com/dist/mab/trustmgt.ps>.
+
+ [Cro82] Crocker, D., "Standard for the Format of ARPA Internet Text
+ Messages", STD 11, RFC 822, August 1982.
+
+ [DSA94] Digital Signature Standard. FIPS-186. National Institute of
+ Standards, U.S. Department of Commerce. May 1994.
+
+ [PKCS1] PKCS #1: RSA Encryption Standard, Version 1.5. RSA
+ Laboratories. November 1993.
+
+
+
+
+Blaze, et al. Informational [Page 35]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ [RSA78] R. L. Rivest, A. Shamir, L. M. Adleman. A Method for
+ Obtaining Digital Signatures and Public-Key Cryptosystems.
+ Communications of the ACM, v21n2. pp 120-126. February 1978.
+
+Authors' Addresses
+
+ Comments about this document should be discussed on the keynote-users
+ mailing list hosted at nsa.research.att.com. To subscribe, send an
+ email message containing the single line
+ subscribe keynote-users
+ in the message body to <majordomo@nsa.research.att.com>.
+
+ Questions about this document can also be directed to the authors as
+ a group at the keynote@research.att.com alias, or to the individual
+ authors at:
+
+ Matt Blaze
+ AT&T Labs - Research
+ 180 Park Avenue
+ Florham Park, New Jersey 07932-0971
+
+ EMail: mab@research.att.com
+
+
+ Joan Feigenbaum
+ AT&T Labs - Research
+ 180 Park Avenue
+ Florham Park, New Jersey 07932-0971
+
+ EMail: jf@research.att.com
+
+
+ John Ioannidis
+ AT&T Labs - Research
+ 180 Park Avenue
+ Florham Park, New Jersey 07932-0971
+
+ EMail: ji@research.att.com
+
+
+ Angelos D. Keromytis
+ Distributed Systems Lab
+ CIS Department, University of Pennsylvania
+ 200 S. 33rd Street
+ Philadelphia, Pennsylvania 19104-6389
+
+ EMail: angelos@dsl.cis.upenn.edu
+
+
+
+
+Blaze, et al. Informational [Page 36]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (1999). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 37]
+