TLS user mapping hint extension

Stefan Santesson

Microsoft

Purpose

• Logging on to a Microsoft domain currently requires a Microsoft UPN (User Principal Name) “user@domain” to be present in the client certificate.

• This TLS extension removes this requirement in the context of TLS.

Flow

• Client and server agrees that they support this extension.

• Client send its UPN in a new handshake message

• Server locate the user in AD and extract the users certificate.

• Authentication maps client certificate with use certificate extracted from AD.

New extension type

• A new extension type (user_mapping(nn)) is added to the Extension used in both the Client Hello and Server Hello. The extension type is specified as follows and has no data associated with it.

enum { server_name(0), max_fragment_length(1), client_certificate_url(2),trusted_ca_keys(3), truncated_hmac(4), status_request(5), user_mapping(nn), (65535)} ExtensionType;

Extension to the Handshake Protocol

• A new handshake message is created (user_mapping_data(nn) to encapsulate the client’s domain.

enum {hello_request(0), client_hello(1),

server_hello(2),certificate(11), server_key_exchange (12),

certificate_request(13), server_hello_done(14), certificate_verify(15), client_key_exchange(16), finished(20), certificate_url(21), certificate_status(22), user_mapping_data(nn),(255)} HandshakeType;

Handshake message syntaxenum { UpnDomainHint(0), (255)} UserMappingType;

struct { opaque user_principle_name<0..2^16-1>; opaque domain_name<0..2^16-1>;} UpnDomainHint;

struct { UserMappingType user_mapping_version select(UserMappingType) {

case UpnDomainHint: UpnDomainHint;

}} UserMappingData;

Actions

• Submit new draft to be published as Informational RFC

• Provide IPR disclosure

• Assign identifiers for extension type and handshake message