2.6.6 Kerberos WG (krb-wg)

NOTE: This charter is a snapshot of the 49th IETF Meeting in San Diego, California. It may now be out-of-date. Last Modified: 15-Nov-00


Douglas Engert <deengert@anl.gov>

Security Area Director(s):

Jeffrey Schiller <jis@mit.edu>
Marcus Leech <mleech@nortelnetworks.com>

Security Area Advisor:

Jeffrey Schiller <jis@mit.edu>

Mailing Lists:

General Discussion:ietf-krb-wg@anl.gov
To Subscribe: majordomo@anl.gov
In Body: subscribe ietf-krb-wg your_email_address
Archive: ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating system. There are at least two open source versions, with numerous commercial versions based on these and other proprietary implementations. Kerberos evolution has continued over the years, and interoperability has been problematic. A number of draft proposals have been issued concerning aspects of new or extended functionality.

The group will strive to improve the interoperability of these systems while improving security.

Specifically, the Working Group will:

* Clarify and amplify the Kerberos specification (RFC 1510) to make sure interoperability problems encountered in the past that occurred because of unclear specifications do not happen again. The output of this process should be suitable for Draft Standard status.

* Select from existing proposals on new or extended functionality those that will add significant value while improving interoperability and security, and publish these as one or more Proposed Standards.

Goals and Milestones:



First meeting

Dec 00


Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.

Dec 00


Charter Review, update of milestones and refinement of goals.

Jan 01


Submit the PKINIT document to the IESG for consideration as a Proposed Standard.

Mar 01


Charter Review, update of milestones and refinement of goals.


No Request For Comments

Current Meeting Report

MINUTES KRB-WG Meeting 8/2/00 - San Diego IETF

Reported by Doug Engert <deengert@anl.gov>

The second meeting of the Kerberos WG was held on 12/11/00 with 147 attendees, twice as many at the first meeting. The Kerberos-Revisions is still the top priority of the working group, as most other drafts are waiting for it.

Cliff Neuman ran the discussion of the revisions, doing it section by section.

Section 1, no comments, but see name canonicalization below.

Section 2, questions where raised about unrecognized KDC flags, and It was agreed that they could be ignored by the client, accept in the case when the anonymous bit was set.

Section 3, name canonicalization is still of major concern. Sam Hartman suggested that maybe it be deferred to a separate document, as it originally was. Cliff was concerned that name canonicalization addresses concerns with using unsecured DNS instead and was important. Jeff Hutzelman suggested that it introduced new problems too. I suggested that maybe parts of it be left in, to accommodate only host name mapping. Sam Hartman, Jeff Hutzelman and Ken Raeburn are to comment to the list on this. Unfortunately no one for Microsoft was present to comment. (John Brezak was scheduled to attend, but has travel problems.)

Section 4, no comments.

Section 5, Tom Yu had major concerns about backward compatibility, especially with extra fields and checksums being added to many of the messages. He suggested new message types rather then modifying current messages, and a new KRB_SAFE type be added for use with GSSAPI. Matt Hur questioned if this was just a version number change. But Tom said the version is buried within messages and could not be checked until after the message had been parsed. Cliff said it could be done by adding new message types for the APPLICATION. There was general consensus of 17-2 that using the APPLICATION was acceptable. Jeff Hutzelman requested it be extensible so we don't have the same problem again. Tom needs to comment to the list again on which messages need to be added, as he had quite a few. A comment was made that even though the version number has not change from 5, this might be Kerberos 6 or 7 that is being defined.

Section 6, was commented out in the current draft, as there where many questions. There are two 3des implementations, one with Key Derivation, and AES is coming, which can also use key derivation, which may be different. Each many also have its own string-to-key functions. Ken suggested that we not wait for AES. (see below) Sam said, even if we define both 3des but without AES, we will still need to make one mandatory. Ken and Cliff will be meeting later to hash out some of these issues and report back to the list.

Section 8, Matt Crawford asked where one could go to get new numbers defined such as IANA. By consensus of 20-1, the requirement that port 88 be the KDC port will be changed to recommended, so that a site could run more then one KDC on separate ports. Pat Moore would like the NT_SRV_HOST name constraints be less restrictive, so as to work with DCE service names. He will get this to Cliff again, as Cliff was still uncomfortable with it.

Jeff Altman asked again what happened to the Unicode vs UTF8, and questioned what Microsoft was doing with unicode and principal names. Cliff needs to added this back in to the revisions.

We then moved on to PKINIT. Brian Tung said there was only one minor correction. This document has been will scrutinized over the years, and is only waiting for the Kerberos Revisions. Jeff Schiller suggested that we move this on too WG last call, even though it is still waiting. By general consensus, 15-1 we will be doing a WG last call shortly after the meeting.

Matt Hur, the discussed PKCROSS, which is waiting for PKINIT.

Sasha Medvinsky discussed PKTAPP which is actually informational, describing how to use PKINIT.

Pat Moore and Tom Yu discussed issues with adding user-to-user to the Kerberos GSSAPI. Pat had used an old draft from Swift as a starting point and added this to the MIT distribution. Ted Ts'o pointed out that the gss_init_sec_context would need to know the target. Pat said the target is always known with the Globus application which needs this feature. Jonathan said the target_name should be an IN/OUT parameter. Tom Yu brought up the new message types need in the revisions, and it was agreed that these would be added.

Finally, Matt Hur and Jeff Altman gave a brief overview of the presentation they will give at the TLC session, for TLS and KRB5.


None received.