IETF 81 Proceedings
Introduction | Area, Working Goup & BoF Reports | Plenaries | Training | Internet Research Task Force
Kerberos (krb-wg) (WG)
Minutes | Audio Archives | Jabber Logs | Mailing List Archives
In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:
Additional KRB-WG Web Page
Additional information is available at tools.ietf.org/wg/krb-wg
Chair(s):Security Area Director(s):Security Area Advisor: |
Meeting Slides
Internet-Drafts:
- Kerberos Version 5 GSS-API Channel Binding Hash Agility (0 bytes) Failed to copy /a/www/ietf-ftp/internet-drafts/draft-ietf-krb-wg-gss-cb-hash-agility-08.txt
- OTP Pre-authentication (0 bytes) Failed to copy /a/www/ietf-ftp/internet-drafts/draft-ietf-krb-wg-otp-preauth-19.txt
- An information model for Kerberos version 5 (0 bytes) Failed to copy /a/www/ietf-ftp/internet-drafts/draft-ietf-krb-wg-kdc-model-10.txt
- Kerberos Options for DHCPv6 (0 bytes) Failed to copy /a/www/ietf-ftp/internet-drafts/draft-sakane-dhc-dhcpv6-kdc-option-12.txt
- The Unencrypted Form Of Kerberos 5 KRB-CRED Message (0 bytes) Failed to copy /a/www/ietf-ftp/internet-drafts/draft-ietf-krb-wg-clear-text-cred-03.txt
- A Generalized PAC for Kerberos V5 (0 bytes) Failed to copy /a/www/ietf-ftp/internet-drafts/draft-ietf-krb-wg-general-pac-00.txt
- Camellia Encryption for Kerberos 5 (0 bytes) Failed to copy /a/www/ietf-ftp/internet-drafts/draft-ietf-krb-wg-camellia-cts-00.txt
Request for Comments:
- AES Encryption for Kerberos 5 (RFC 3962) (32844 bytes) Failed to copy /a/www/ietf-ftp/rfc/rfc3962.txt
- Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) (111865 bytes) Failed to copy /a/www/ietf-ftp/rfc/rfc3961.txt
- The Kerberos Network Authentication Service (V5) (RFC 4120) (340314 bytes) obsoletes RFC 1510/ updated by RFC 4537,RFC 5021,RFC 6111,RFC 6112,RFC 6113 Failed to copy /a/www/ietf-ftp/rfc/rfc4120.txt
- The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 (RFC 4121) (43945 bytes) Updates RFC 1964/ updated by RFC 6112 Failed to copy /a/www/ietf-ftp/rfc/rfc4121.txt
- Kerberos Cryptosystem Negotiation Extension (RFC 4537) (11166 bytes) Updates RFC 4120 Failed to copy /a/www/ietf-ftp/rfc/rfc4537.txt
- Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) (11593 bytes) Failed to copy /a/www/ietf-ftp/rfc/rfc4557.txt
- Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4556) (100339 bytes) updated by RFC 6112 Failed to copy /a/www/ietf-ftp/rfc/rfc4556.txt
- Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over TCP (RFC 5021) (13431 bytes) Updates RFC 4120 Failed to copy /a/www/ietf-ftp/rfc/rfc5021.txt
- Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 5349) (19706 bytes) Failed to copy /a/www/ietf-ftp/rfc/rfc5349.txt
- Problem Statement on the Cross-Realm Operation of Kerberos (RFC 5868) (30327 bytes) Failed to copy /a/www/ietf-ftp/rfc/rfc5868.txt
- Additional Kerberos Naming Constraints (RFC 6111) (14113 bytes) Updates RFC 4120 Failed to copy /a/www/ietf-ftp/rfc/rfc6111.txt
- Anonymity Support for Kerberos (RFC 6112) (37858 bytes) Updates RFC 4120,RFC 4121,RFC 4556 Failed to copy /a/www/ietf-ftp/rfc/rfc6112.txt
- A Generalized Framework for Kerberos Pre-Authentication (RFC 6113) (121122 bytes) Updates RFC 4120 Failed to copy /a/www/ietf-ftp/rfc/rfc6113.txt
- Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol (RFC 6251) (17051 bytes) Failed to copy /a/www/ietf-ftp/rfc/rfc6251.txt
Charter (as of 2011-08-18)
Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary implementations.
Kerberos evolution has continued in recent years, with the development
of new crypto and preauthentication frameworks, support for initial
authentication using public keys, improved support for protecting
clients' long-term keys during initial authentication, support for
anonymous and partially-anonymous authentication, and numerous
extensions developed in and out of the IETF.
However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, such as exploring support
for new mechanisms for initial authentication, new cryptographic
technologies, and better integration of Kerberos with other systems
for authentication, authorization, and identity management.
In addition, several key features remain undefined.
The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to the areas described above, and produce specifications for
missing functionality.
Specifically, the Working Group will:
* Complete existing work, including:
- DHCP Option (draft-sakane-dhc-dhcpv6-kdc-option-10.txt)
- KDC Data Model (draft-ietf-krb-wg-kdc-model-09.txt)
- One-Time Passwords (draft-ietf-krb-wg-otp-preauth-16.txt)
- IAKERB (draft-ietf-krb-wg-iakerb-02.txt)
- Single-DES Deprecation (draft-lha-des-die-die-die-05.txt)
- IANA registry creation (draft-lha-krb-wg-some-numbers-to-iana)
- Hash agility for GSS-KRB5 (draft-ietf-krb-wg-gss-cb-hash-agility-06.txt)
- Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-05.txt)
- Referrals (draft-ietf-krb-wg-kerberos-referrals-12.txt)
- Set/Change Password (draft-ietf-krb-wg-kerberos-set-passwd-08.txt)
* Prepare and advance one or more standards-track specifications which
update the Kerberos version 5 protocol to support non-ASCII principal
and realm names, salt strings, and passwords, and localized error
reporting. Maximizing backward compatibility is strongly desired.
* Prepare and advance one or more standards-track specifications which
update the Kerberos version 5 protocol in a backward-compatible way
to support extending the unencrypted portion of a Kerberos ticket.
* Prepare, review, and advance standards-track and informational
specifications defining use of new cryptographic algorithms in the
Kerberos protocol, on an ongoing basis.
* Prepare, review, and advance standards-track and informational
specifications defining use of new cryptographic algorithms in
Kerberos using the RFC3961 framework. Cryptographic algorithms
intended for standards track status must be of good quality, have
broad international support, and fill a definite need.
* Prepare, review, and advance standards-track and informational
specifications defining new authorization data types for carrying
supplemental information about the client to which a Kerberos ticket
has been issued and/or restrictions on what the ticket can be used
for. To enhance this ongoing authorization data work, a container
format supporting the use cases of draft-sorce-krbwg-general-pac-01
may be standardized.
* Prepare a standards-track protocol to solve the use cases addressed
by draft-hotz-kx509-01 including new support for digital signatures.
* Prepare and advance one or more standards-track specifications
which define mechanisms for establishing keys and configuration
information used during authentication between Kerberos realms.
* Prepare and advance a standards-track specification defining a
format for the transport of Kerberos credentials within other
protocols.
* Today Kerberos requires a replay cache to be used in AP exchanges in
almost all cases. Replay caches are quite complex to implement
correctly, particularly in clustered systems. High-performance replay
caches are even more difficult to implement. The WG will pursue
extensions to minimize the need for replay caching, optimize replay
caching, and/or elide the need for replay caching.
* Produce an LDAP schema for management of the KDC's database.
Goals and Milestones:
| Done | First meeting | |
| Done | Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard. | |
| Done | Complete first draft of Pre-auth Framework | |
| Done | Complete first draft of Extensions | |
| Done | Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard | |
| Done | Last Call on OCSP for PKINIT | |
| Done | Consensus on direction for Change/Set password | |
| Done | PKINIT to IESG | |
| Done | Enctype Negotiation to IESG | |
| Done | Last Call on PKINIT ECC | |
| Done | TCP Extensibility to IESG | |
| Done | ECC for PKINIT to IESG | |
| Done | Naming Constraints to IESG | |
| Done | Anonymity to IESG | |
| Done | WGLC on preauth framework | |
| Done | WGLC on OTP | |
| Done | WGLC on data model | |
| Done | WGLC on cross-realm issues | |
| Done | WGLC on IAKERB | |
| Done | Anonymity back to IESG | |
| Done | WGLC on STARTTLS | |
| Done | WGLC on DHCPv6 Option | |
| Done | draft-ietf-krb-wg-clear-text-cred to IESG | |
| Aug 2011 | draft-ietf-krbwg-camellia-cts to IESG | |
| Aug 2011 | draft-ietf-krb-wg-des-die-die-die to IESG | |
| Sep 2011 | DHCP option for Kerberos to IESG | |
| Oct 2011 | Internationalized error support to IESG | |
| Oct 2011 | draft-ietf-krb-wg-pkinit-alg-agility to IESG | |
| Dec 2011 | Kerberos PAD authorization data to IESG | |
| Dec 2011 | Consider adopting kx509bis in response to use cases in draft-hotz-kx509-01 |
Home - Tools
Team - Datatracker - Web Site Usage Statistics - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.