2.5.6 Kerberos WG (krb-wg)

NOTE: This charter is a snapshot of the 48th IETF Meeting in Pittsburgh, Pennsylvania. It may now be out-of-date. Last Modified: 17-Jul-00


Douglas Engert <deengert@anl.gov>

Security Area Director(s):

Jeffrey Schiller <jis@mit.edu>
Marcus Leech <mleech@nortelnetworks.com>

Security Area Advisor:

Jeffrey Schiller <jis@mit.edu>

Mailing Lists:

General Discussion:ietf-krb-wg@anl.gov
To Subscribe: majordomo@anl.gov
In Body: subscribe ietf-krb-wg your_email_address
Archive: ftp://ftp.ietf.org/ietf-mail-archive/krb/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating system. There are at least two open source versions, with numerous commercial versions based on these and other proprietary implementations. Kerberos evolution has continued over the years, and interoperability has been problematic. A number of draft proposals have been issued concerning aspects of new or extended functionality.

The group will strive to improve the interoperability of these systems while improving security.

Specifically, the Working Group will:

* Clarify and amplify the Kerberos specification (RFC 1510) to make sure interoperability problems encountered in the past that occurred because of unclear specifications do not happen again. The output of this process should be suitable for Draft Standard status.

* Select from existing proposals on new or extended functionality those that will add significant value while improving interoperability and security, and publish these as one or more Proposed Standards.

Goals and Milestones:

Jul 00


First meeting

Aug 00


Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.

Sep 00


Submit the PKINIT document to the IESG for consideration as a Proposed Standard.

Dec 00


Charter Review, update of milestones and refinement of goals.


No Request For Comments

Current Meeting Report

MINUTES KRB-WG Meeting 8/2/00 - Pittsburgh IETF

Reported by Doug Engert <deengert@anl.gov>

The first meeting of the Kerberos WG was held 8/2/2000 in Pittsburgh with 79 attendees in a room designed for 60. The Chairman, Doug Engert gave a short introduction about the new group being split from the CAT group in order to focus on the Kerberos specific drafts, and to get the Kerberos-Revisions to last call in August. The charter can be found at http://www.ietf.org/html.charters/krb-wg-charter.html.

Cliff Neuman <bcn@isi.edu> lead the discussions of the Kerberos-Revisions, draft-ietf-cat-kerberos-revisions-06.txt. Many other documents are being gated by the Revisions, including a PKIX document, so getting the revisions to last-call is the primary objective of the WG. Informal last-call sections of the draft will be sent to the mailing list. When done, a last-call can be made for the document.

Microsoft has sent a letter claiming Intellectual Property rights to parts of the revisions. This did not appear to be a problem, as it is worded the same as previous letters from Microsoft to the IETF.

The domain based realm name language has been changed for compatibility. The e-data values (typed data) and the pa-data namespaces were merged, but the explanation of this merging needs to be made more clear. There are character set encodings issues (change in PKINIT, but left in revisions). For compatibility, these need to be left as general string. But it was pointed out the string should be interpreted as UTF8. This has comparison issues. Tom Yu will send text about how to interpret this field to provide maximum compatibility with existing deployments.

The wording on subkeys needs to strongly recommend including of entropy from session key. The 40 bit des example needs to be changed. The references to the Horowitz drafts for 3DES and key derivation need to be incorporated. Ken Raeburn, has an issue with the ivec for krb_priv. Tom Yu will provide text on changing application tags for krb-priv and krb-safe to deal with fields that are now optional fields.

There was some clarification that was need for name referrals, in particular how this was intended to be used.

Cliff also gave an update of PKINIT, PKCROSS, PKTAPP. They are blocked by the revisions.

Jonathan Trostle <jtrostle@cisco.com> discussed IAKERB. Basically, have a IAKERB proxy server talk to the KDC in the case of the client not being able to talk to a KDC. Ken Raeburn asked about having the the IAKERB proxy add the correct IP address to the ticket at AS_REQ time. Jonathan said he would look at that; Ted asked about possibly using GSS channel bindings to let the client communicate that; Tom Yu said that those aren't required to be transmitted. These need to be taken to the list.

Jonathan Trostle discussed the Kerberos Set/Change Password document. This extends the Horowitz original kerb-change-password protocol but allows administrative commands to set passwords. Again there was discussion about the client generating keys. This need further discussion on the list.

Donna Skibbie <donnas@us.ibm.com> give an overview of LDAP access to KDC databases. The OpenGroup is working on this as well. There where many comments and questions about how the keys would be protected, authentication done for the database and how backups are controlled.

Ken Hornstein <kenh@cmf.nrl.navy.mil> discussed Distributing Kerberos KDC and Realm Information with DNS. Ken reported that most of the concerns about this draft were resolved at Adelaide. A new draft needs to be reissued with beefed up security statement and resolution of mixed-case realms. Paul Leach asked if the same concern he expressed before still existed; Ken confirmed that this was still the case.

Sasha Medvinsky <SMedvinsky@gi.com> reported on "Kerberos V Authentication Mode for Uninitialized Clients". This is a new work to use Kerberos for DHCP, with a IAKERB like intermediate server on the local network. The use of port 88 was questioned, as well as negative host type numbers. Ken Hornstein did a quick presentation about the alternative proposal.

Tatu Ylonen <ylo@ssh.com> gave a brief report on Kerberos Authentication in SSH. This was the same report as was given to the SSH WG. There where a number of concerns as to how this was being implemented, including the mapping of principal to local account. It was suggested that GSSAPI be used rather then Kerberos directly.

Jeff Altman <jaltman@columbia.edu> announced the intent to form a Kerberos Telnet working group. This would deal with adding Kerberos authentication to telnet, most likely using GSSAPI.

The meeting lasted just over 2 hours.

Douglas E. Engert <DEEngert@anl.gov>


None received.