Kerberos (krb-wg)

In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:

       Additional KRB-WG Web Page

Last Modified: 2007-11-12

Additional information is available at tools.ietf.org/wg/krb-wg

Chair(s):

  • Jeffrey Hutzelman <jhutz@cmu.edu>

  • Larry Zhu <lzhu@windows.microsoft.com>

    Security Area Director(s):

  • Tim Polk <tim.polk@nist.gov>
  • Sam Hartman <hartmans-ietf@mit.edu>

    Security Area Advisor:

  • Sam Hartman <hartmans-ietf@mit.edu>

    Mailing Lists:

    General Discussion: ietf-krb-wg@lists.anl.gov
    To Subscribe: https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
    Archive: https://lists.anl.gov/pipermail/ietf-krb-wg/

    Description of Working Group:

    Kerberos over the years has been ported to virtually every operating
    system. There are at least two open source versions, with numerous
    commercial versions based on these and other proprietary
    implementations. Kerberos evolution has continued over the years, and
    interoperability has been problematic.  A number of draft proposals
    have been issued concerning aspects of new or extended functionality.

    The group will strive to improve the interoperability of these
    systems while improving security.

    Specifically, the Working Group will:

    * Clarify and amplify the Kerberos specification (RFC 1510) to make
    sure
      interoperability problems encountered in the past that occurred
      because of unclear specifications do not happen again.  The output of
      this process should be suitable for Draft Standard status.

    * Select from existing proposals on new or extended functionality those
      that will add significant value while improving interoperability and
      security, and publish these as one or more Proposed Standards.

    Goals and Milestones:

    Done  First meeting
    Done  Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.
    Done  Complete first draft of Pre-auth Framework
    Done  Complete first draft of Extensions
    Done  Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard
    Done  Last Call on OCSP for PKINIT
    Done  Consensus on direction for Change/Set password
    Done  PKINIT to IESG
    Done  Enctype Negotiation to IESG
    Done  Last Call on PKINIT ECC
    Done  TCP Extensibility to IESG
    Jul 2007  Set/Change Password to IESG
    Jul 2007  Naming Constraints to IESG
    Done  ECC for PKINIT to IESG
    Aug 2007  Anonymity to IESG
    Aug 2007  Hash agility for GSS-KRB5 to IESG
    Aug 2007  Hash agility for PKINIT to IESG
    Aug 2007  Choose direction for Kerberos v5.3
    Sep 2007  WGLC on preauth framework
    Nov 2007  WGLC on OTP
    Nov 2007  WGLC on hardware preauth
    Dec 2007  WGLC on data model
    Dec 2007  WGLC on cross-realm issues
    Jan 2008  WGLC on STARTTLS
    Jan 2008  WGLC on Referrals
    Mar 2008  WGLC on Kerberos v5.3
    Mar 2008  WGLC on IAKERB
    Mar 2008  WGLC on LDAP schema

    Internet-Drafts:

    Kerberos Set/Change Key/Password Protocol Version 2 (67263 bytes)
    A Generalized Framework for Kerberos Pre-Authentication (96405 bytes)
    ECC Support for PKINIT (21006 bytes)
    Anonymity Support for Kerberos (23911 bytes)
    Additional Kerberos Naming Constraints (13547 bytes)
    Kerberos Version 5 GSS-API Channel Binding Hash Agility (12591 bytes)
    Problem statement on the cross-realm operation of Kerberos (28277 bytes)
    OTP Pre-authentication (70465 bytes)
    Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB) (20440 bytes)
    An information model for Kerberos version 5 (24469 bytes)

    Request For Comments:

    AES Encryption for Kerberos 5 (RFC 3962) (32844 bytes)
    Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) (111865 bytes)
    The Kerberos Network Authentication Service (V5) (RFC 4120) (340314 bytes) obsoletes RFC 1510/ updated by RFC 4537,RFC 5021
    The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 (RFC 4121) (43945 bytes) updates RFC 1964
    Kerberos Cryptosystem Negotiation Extension (RFC 4537) (11166 bytes) updates RFC 4120
    Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) (11593 bytes)
    Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4556) (100339 bytes)
    Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over TCP (RFC 5021) (13431 bytes) updates RFC 4120
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.