IETF 80 Proceedings
Introduction | Area, Working Goup & BoF Reports | Plenaries | Training | Internet Research Task Force
Kerberos (krb-wg) (WG)
Minutes | Audio Archives | Jabber Logs | Mailing List Archives
In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:
Additional KRB-WG Web Page
Additional information is available at tools.ietf.org/wg/krb-wg
Chair(s):Security Area Director(s):Security Area Advisor: |
Meeting Slides
Internet-Drafts:
- Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals (51119 bytes)
- Kerberos Version 5 GSS-API Channel Binding Hash Agility (11083 bytes)
- OTP Pre-authentication (91238 bytes)
- Kerberos Options for DHCPv6 (34811 bytes)
Request for Comments:
- AES Encryption for Kerberos 5 (RFC 3962) (32844 bytes)
- Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) (111865 bytes)
- The Kerberos Network Authentication Service (V5) (RFC 4120) (340314 bytes) obsoletes RFC 1510/ updated by RFC 4537,RFC 5021,RFC 6111,RFC 6112,RFC 6113
- The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 (RFC 4121) (43945 bytes) Updates RFC 1964/ updated by RFC 6112
- Kerberos Cryptosystem Negotiation Extension (RFC 4537) (11166 bytes) Updates RFC 4120
- Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) (11593 bytes)
- Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4556) (100339 bytes) updated by RFC 6112
- Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over TCP (RFC 5021) (13431 bytes) Updates RFC 4120
- Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 5349) (19706 bytes)
- Problem Statement on the Cross-Realm Operation of Kerberos (RFC 5868) (30327 bytes)
- Additional Kerberos Naming Constraints (RFC 6111) (14113 bytes) Updates RFC 4120
- Anonymity Support for Kerberos (RFC 6112) (37858 bytes) Updates RFC 4120,RFC 4121,RFC 4556
- A Generalized Framework for Kerberos Pre-Authentication (RFC 6113) (121122 bytes) Updates RFC 4120
- Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol (RFC 6251) (17051 bytes)
Charter (as of 2011-03-31)
Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued in recent years, with
the development of a new crypto framework, publication of a new version
of the Kerberos specification, support for initial authentication using
public keys, and numerous extensions developed in and out of the IETF.
However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, particularly with regard to
making initial authentication of users to the Kerberos system both
convenient and secure. In addition, several key features remain undefined.
The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to improving the process of client authentication, and produce
specifications for missing functionality.
Specifically, the Working Group will:
* Complete existing work:
- ECC for PKINIT (draft-zhu-pkinit-ecc-03.txt)
- Set/Change Password
(draft-ietf-krb-wg-kerberos-set-passwd-05.txt)
- Naming Constraints (draft-ietf-krb-wg-naming-02.txt)
- Anonymity (draft-ietf-krb-wg-anon-03.txt)
- Hash agility for GSS-KRB5
(draft-ietf-krb-wg-gss-cb-hash-agility-00.txt)
- Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-01.txt)
- Referrals (draft-ietf-krb-wg-kerberos-referrals-08.txt)
* Prepare and advance a specification for an updated, backward-
compatible version of the Kerberos version 5 protocol which supports
non-ASCII principal and realm names, salt strings, and passwords;
insures that those portions of the protocol which are not encrypted are
nonetheless authenticated whenever possible; and enables future protocol
revisions and extensions.
* Develop extensions which reduce or eliminate exposure of Kerberos
clients' long-term keys to attack and enable the use of alternate
mechanisms for initial authentication. This task will comprise the
following items:
- A model and framework for preauthentication mechanisms
- A mechanism for providing a protected channel for carrying
preauthentication data and/or a reply key between a Kerberos
client and KDC, within the KDC_REQ/KDC_REP exchange.
- Support for One-Time Passwords
- Support for hardware authentication tokens
- Support for using TLS to secure communications with Kerberos KDCs.
* Examine issues related to the current cross-realm model, produce a
list of problems to be solved, and evaluate approaches to solving them.
* Develop extensions to Kerberos and a GSS-API mechanism (IAKERB) to
enable Kerberos clients to communicate with a KDC by using a GSS-API
acceptor as a proxy.
* Produce a data model for information needed by the KDC, and an LDAP
schema for management of that data.
Goals and Milestones:
| Done | First meeting | |
| Done | Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard. | |
| Done | Complete first draft of Pre-auth Framework | |
| Done | Complete first draft of Extensions | |
| Done | Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard | |
| Done | Last Call on OCSP for PKINIT | |
| Done | Consensus on direction for Change/Set password | |
| Done | PKINIT to IESG | |
| Done | Enctype Negotiation to IESG | |
| Done | Last Call on PKINIT ECC | |
| Done | TCP Extensibility to IESG | |
| Done | ECC for PKINIT to IESG | |
| Done | Naming Constraints to IESG | |
| Done | Anonymity to IESG | |
| Done | WGLC on preauth framework | |
| Done | WGLC on OTP | |
| Done | WGLC on data model | |
| Done | WGLC on cross-realm issues | |
| Jan 2008 | WGLC on Referrals | |
| Dec 2008 | Set/Change Password to IESG | |
| Dec 2008 | Hash agility for GSS-KRB5 to IESG | |
| Dec 2008 | Hash agility for PKINIT to IESG | |
| Done | WGLC on IAKERB | |
| Done | Anonymity back to IESG | |
| Done | WGLC on STARTTLS | |
| Feb 2009 | Data Model to IESG | |
| Feb 2009 | OTP to IESG | |
| Done | WGLC on DHCPv6 Option |
Home - Tools
Team - Datatracker - Web Site Usage Statistics - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.