Kerberos (krb-wg)

In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:

       Additional KRB-WG Web Page

Last Modified: 2007-11-12

Additional information is available at tools.ietf.org/wg/krb-wg

Chair(s):

  • Jeffrey Hutzelman <jhutz@cmu.edu>

  • Larry Zhu <lzhu@windows.microsoft.com>

    Security Area Director(s):

  • Tim Polk <tim.polk@nist.gov>
  • Sam Hartman <hartmans-ietf@mit.edu>

    Security Area Advisor:

  • Sam Hartman <hartmans-ietf@mit.edu>

    Mailing Lists:

    General Discussion: ietf-krb-wg@lists.anl.gov
    To Subscribe: https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
    Archive: https://lists.anl.gov/pipermail/ietf-krb-wg/

    Description of Working Group:

    Kerberos over the years has been ported to virtually every operating
    system. There are at least two open source versions, with numerous
    commercial versions based on these and other proprietary
    implementations. Kerberos evolution has continued in recent years,
    with the development of a new crypto framework, publication of a new
    version of the Kerberos specification, support for initial
    authentication using public keys, and numerous extensions developed in
    and out of the IETF.

    However, wider deployment and advances in technology bring with them
    both new challenges and new opportunities, particularly with regard to
    making initial authentication of users to the Kerberos system both
    convenient and secure. In addition, several key features remain
    undefined.

    The Kerberos Working Group will continue to improve the core Kerberos
    specification, develop extensions to address new needs and technologies
    related to improving the process of client authentication, and produce
    specifications for missing functionality.


    Specifically, the Working Group will:

    * Complete existing work:
    - ECC for PKINIT (draft-zhu-pkinit-ecc-03.txt)
    - Set/Change Password
    (draft-ietf-krb-wg-kerberos-set-passwd-05.txt)
    - Naming Constraints (draft-ietf-krb-wg-naming-02.txt)
    - Anonymity (draft-ietf-krb-wg-anon-03.txt)
    - Hash agility for GSS-KRB5
    (draft-ietf-krb-wg-gss-cb-hash-agility-00.txt)
    - Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-01.txt)
    - Referrals (draft-ietf-krb-wg-kerberos-referrals-08.txt)

    * Prepare and advance a specification for an updated, backward-
    compatible version of the Kerberos version 5 protocol which supports
    non-ASCII principal and realm names, salt strings, and passwords;
    insures that those portions of the protocol which are not encrypted
    are nonetheless authenticated whenever possible; and enables future
    protocol revisions and extensions.

    * Develop extensions which reduce or eliminate exposure of Kerberos
    clients' long-term keys to attack and enable the use of alternate
    mechanisms for initial authentication. This task will comprise the
    following items:
    - A model and framework for preauthentication mechanisms
    - A mechanism for providing a protected channel for carrying
    preauthentication data and/or a reply key between a Kerberos
    client and KDC, within the KDC_REQ/KDC_REP exchange.
    - Support for One-Time Passwords
    - Support for hardware authentication tokens
    - Support for using TLS to secure communications with Kerberos KDCs.

    * Examine issues related to the current cross-realm model, produce a
    list of problems to be solved, and evaluate approaches to solving them.

    * Develop extensions to Kerberos and a GSS-API mechanism (IAKERB) to
    enable Kerberos clients to communicate with a KDC by using a GSS-API
    acceptor as a proxy.

    * Produce a data model for information needed by the KDC, and an LDAP
    schema for management of that data.

    Goals and Milestones:

    Done  First meeting
    Done  Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.
    Done  Complete first draft of Pre-auth Framework
    Done  Complete first draft of Extensions
    Done  Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard
    Done  Last Call on OCSP for PKINIT
    Done  Consensus on direction for Change/Set password
    Done  PKINIT to IESG
    Done  Enctype Negotiation to IESG
    Done  Last Call on PKINIT ECC
    Done  TCP Extensibility to IESG
    Jul 2007  Set/Change Password to IESG
    Jul 2007  Naming Constraints to IESG
    Done  ECC for PKINIT to IESG
    Aug 2007  Anonymity to IESG
    Aug 2007  Hash agility for GSS-KRB5 to IESG
    Aug 2007  Hash agility for PKINIT to IESG
    Aug 2007  Choose direction for Kerberos v5.3
    Sep 2007  WGLC on preauth framework
    Nov 2007  WGLC on OTP
    Nov 2007  WGLC on hardware preauth
    Dec 2007  WGLC on data model
    Dec 2007  WGLC on cross-realm issues
    Jan 2008  WGLC on STARTTLS
    Jan 2008  WGLC on Referrals
    Mar 2008  WGLC on Kerberos v5.3
    Mar 2008  WGLC on IAKERB
    Mar 2008  WGLC on LDAP schema

    Internet-Drafts:

    Kerberos Set/Change Key/Password Protocol Version 2 (67263 bytes)
    ECC Support for PKINIT (21006 bytes)
    Additional Kerberos Naming Constraints (13547 bytes)
    PK-INIT algorithm agility (30722 bytes)
    Kerberos Version 5 GSS-API Channel Binding Hash Agility (12591 bytes)
    Problem statement on the cross-realm operation of Kerberos (28277 bytes)
    OTP Preauthentication (41855 bytes)
    Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB) (20440 bytes)
    An information model for Kerberos version 5 (25132 bytes)

    Request For Comments:

    AES Encryption for Kerberos 5 (RFC 3962) (32844 bytes)
    Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) (111865 bytes)
    The Kerberos Network Authentication Service (V5) (RFC 4120) (340314 bytes) obsoletes RFC 1510/ updated by RFC 4537,RFC 5021
    The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 (RFC 4121) (43945 bytes) updates RFC 1964
    Kerberos Cryptosystem Negotiation Extension (RFC 4537) (11166 bytes) updates RFC 4120
    Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) (11593 bytes)
    Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4556) (100339 bytes)
    Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over TCP (RFC 5021) (13431 bytes) updates RFC 4120
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.