2.6.7 Kerberos WG (krb-wg)

NOTE: This charter is a snapshot of the 50th IETF Meeting in Minneapolis, Minnesota. It may now be out-of-date. Last Modified: 14-Mar-01


Douglas Engert <deengert@anl.gov>

Security Area Director(s):

Jeffrey Schiller <jis@mit.edu>
Marcus Leech <mleech@nortelnetworks.com>

Security Area Advisor:

Jeffrey Schiller <jis@mit.edu>

Mailing Lists:

General Discussion:ietf-krb-wg@anl.gov
To Subscribe: majordomo@anl.gov
In Body: subscribe ietf-krb-wg your_email_address
Archive: ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating system. There are at least two open source versions, with numerous commercial versions based on these and other proprietary implementations. Kerberos evolution has continued over the years, and interoperability has been problematic. A number of draft proposals have been issued concerning aspects of new or extended functionality.

The group will strive to improve the interoperability of these systems while improving security.
Specifically, the Working Group will:
* Clarify and amplify the Kerberos specification (RFC 1510) to make sure interoperability problems encountered in the past that occurred because of unclear specifications do not happen again. The output of this process should be suitable for Draft Standard status.
* Select from existing proposals on new or extended functionality those that will add significant value while improving interoperability and security, and publish these as one or more Proposed Standards.

Goals and Milestones:



First meeting

Dec 00


Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.

Dec 00


Charter Review, update of milestones and refinement of goals.

Jan 01


Submit the PKINIT document to the IESG for consideration as a Proposed Standard.

Mar 01


Charter Review, update of milestones and refinement of goals.

No Request For Comments

Current Meeting Report

KRB-WG Minutes - Minneapolis

The third meeting of the Kerberos WG was held 3/20/2001 in Minneapolis with about 50 attendees. Doug Engert was the chair and Matt Crawford was the scribe. After a short introduction of the working group, the bulk of the meeting was concerned with discussions of the Kerberos-Revisions and the Referrals.

Cliff Neuman described a number of minor changes to the Revisions, then turn the discussion over to Ken Reaburn to discuss the new Section 6. Still to be done include updating the table of key usage numbers, have a cryptographer review the functions and decide which crypto functions should be available to applications. Further comments on Section 6 should be sent to Ken. There where some questions. Should there be a NULL checksum method? No one could see a need for one. Are there other crypto methods in use? And will can they follow this section? John Brezak said the RC4-HMAC could. Will AES also fit? Ken is working on this too, and answered yes, all that is needed are test vectors. What does visibility of crypto functions have to do with a protocol? The response was left open.

Tom Yu then described the new section 5. This section tries to address many backward compatibility issues, but adds a lot of complexity to the draft. Tom had proposed a new KerberosString to address the UTF-8 issues. What came out was that the current (mis) use of the GerneralString in Kerberos is locality specific. Most implementations just treat a GeneralString as a bit string, so if all parties agreed, it worked. There appears that there will need to be some hint in the rest of the message (such as in the flags or options) to indicate if GeneralString should be treaded following ASN.1 rules, or as Kerberos has in the past.

Tom had also proposed a number of new message types which where designed to be extensible version of older message types. For example a Ticket2. These where being introduced for backwards compatibility. There where still compatibility issues with the new messages such as how is a client or KDC to know if the other implementation can handle the new messages.

There was concern that much of the Section 5 was over kill, and it could introduce new ASN.1 problems which could also cause backward compatibility problems and since there where so many problems, we should consider bumping the version number. It was decide that a smaller group would meet after the WG meeting to discuss the Section 5 issues further. (See below for notes from that meeting.)

John Brezak then described the Referrals and name canonicalization documents. At one time this was a separate document, then last year we tried to roll it into the Revisions, which appears to have been a mistake, as there are still many concerns with the referrals. It is not back to a separate document. The Revisions still has the necessary flags and numbers reserved. John gave a history of why this was needed, in organizations with large flat name spaces, where uses may want to keep the same name, but be moved to other realms. Since there was so many concerns including GSSAPI name canonicalization issued, a smaller group would meet later in the week to hash out the issues and concerns. There was not general opposition to the concepts, but there was security concerns as to how it should be implemented.

Cliff then continued with the Revisions, and there was general consensus that all the text in the Revisions referring to name canonicalization and referrals work could dropped, as these are covered by the Referrals. This will let us move forward on the Revisions.

Brian Tung described the latest revision to PKINIT. The recent last call had a number of concerns, and a new draft was produced. There are still some issues with E-E DH. Matt Hur brought up some issues with a nonce to indicate willingness to accept a timestamp. But the draft could be ready for last call again in two weeks. (Still subject to reference to the Revisions, and the flags in the Revisions for PKINIT.)

Ken Hornstein presented KDC and Realm Information with DNS and said another draft is needed, and could be ready in a month or two for last call.

Jonathan Trostle presented the Kerberos changes/set password I-D update and the IAKERB. Both of these need some minor changes.

Donna Skibbie present KDC LDAP Schema. This draft missed the cutoff, but she was invited to speak on this again, so that the working group could give more input, and deiced if this had merit. The presentation was accepted rather well, with even some comments on using this as the admin interface, include updating keys. The consensus was that this should go forward. Other interested in this work should contact Donna, and she was going to submit this as a draft, and possible a draft which could access the keys as well. It would then be up to the Area Directors if these should be assigned to this working group.

Twelve people then meet after the meeting to discuss Sections 5 issues. The main outcome of this was that the revisions is trying to do to many things at once. It should be cut back to address only interoperability problems, features which are currently being implemented and some interoperability problems. In effect it would document Kerberos V5.1. New features should be let to a V5.2 Revisions. Tom Yu was to come up with the list for what should be in V5.1.


None received.