Kerberos (krb-wg)

In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:

       Additional KRB-WG Web Page

Last Modified: 2007-11-12

Additional information is available at tools.ietf.org/wg/krb-wg

Chair(s):

  • Jeffrey Hutzelman <jhutz@cmu.edu>

  • Larry Zhu <lzhu@windows.microsoft.com>

    Security Area Director(s):

  • Tim Polk <tim.polk@nist.gov>
  • Sam Hartman <hartmans-ietf@mit.edu>

    Security Area Advisor:

  • Sam Hartman <hartmans-ietf@mit.edu>

    Mailing Lists:

    General Discussion: ietf-krb-wg@lists.anl.gov
    To Subscribe: https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
    Archive: https://lists.anl.gov/pipermail/ietf-krb-wg/

    Description of Working Group:

    Kerberos over the years has been ported to virtually every operating
    system. There are at least two open source versions, with numerous
    commercial versions based on these and other proprietary
    implementations. Kerberos evolution has continued over the years, and
    interoperability has been problematic.  A number of draft proposals
    have been issued concerning aspects of new or extended functionality.

    The group will strive to improve the interoperability of these
    systems while improving security.

    Specifically, the Working Group will:

    * Clarify and amplify the Kerberos specification (RFC 1510) to make
    sure
      interoperability problems encountered in the past that occurred
      because of unclear specifications do not happen again.  The output of
      this process should be suitable for Draft Standard status.

    * Select from existing proposals on new or extended functionality those
      that will add significant value while improving interoperability and
      security, and publish these as one or more Proposed Standards.

    Goals and Milestones:

    Done  First meeting
    Done  Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.
    Done  Complete first draft of Pre-auth Framework
    Done  Complete first draft of Extensions
    Done  Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard
    Done  Last Call on OCSP for PKINIT
    Done  Consensus on direction for Change/Set password
    Done  PKINIT to IESG
    Done  Enctype Negotiation to IESG
    Done  Last Call on PKINIT ECC
    Done  TCP Extensibility to IESG
    Jul 2007  Set/Change Password to IESG
    Jul 2007  Naming Constraints to IESG
    Done  ECC for PKINIT to IESG
    Aug 2007  Anonymity to IESG
    Aug 2007  Hash agility for GSS-KRB5 to IESG
    Aug 2007  Hash agility for PKINIT to IESG
    Aug 2007  Choose direction for Kerberos v5.3
    Sep 2007  WGLC on preauth framework
    Nov 2007  WGLC on OTP
    Nov 2007  WGLC on hardware preauth
    Dec 2007  WGLC on data model
    Dec 2007  WGLC on cross-realm issues
    Jan 2008  WGLC on STARTTLS
    Jan 2008  WGLC on Referrals
    Mar 2008  WGLC on Kerberos v5.3
    Mar 2008  WGLC on IAKERB
    Mar 2008  WGLC on LDAP schema

    Internet-Drafts:

    Kerberos Set/Change Key/Password Protocol Version 2 (0 bytes)
    ECC Support for PKINIT (0 bytes)
    Anonymity Support for Kerberos (0 bytes)
    Additional Kerberos Naming Constraints (0 bytes)
    Kerberos Version 5 GSS-API Channel Binding Hash Agility (0 bytes)
    Problem statement on the cross-realm operation of Kerberos (0 bytes)
    OTP Preauthentication (0 bytes)
    Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB) (0 bytes)
    An information model for Kerberos version 5 (0 bytes)

    Request For Comments:

    AES Encryption for Kerberos 5 (RFC 3962) (0 bytes)
    Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) (0 bytes)
    The Kerberos Network Authentication Service (V5) (RFC 4120) (0 bytes) obsoletes RFC 1510/ updated by RFC 4537,RFC 5021
    The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 (RFC 4121) (0 bytes) updates RFC 1964
    Kerberos Cryptosystem Negotiation Extension (RFC 4537) (0 bytes) updates RFC 4120
    Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) (0 bytes)
    Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4556) (0 bytes)
    Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over TCP (RFC 5021) (0 bytes) updates RFC 4120
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.