2.6.6 Kerberos WG (krb-wg)

NOTE: This charter is a snapshot of the 56th IETF Meeting in San Francisco, California USA. It may now be out-of-date.

Last Modified: 2003-01-27

Douglas Engert <deengert@anl.gov>
Security Area Director(s):
Jeffrey Schiller <jis@mit.edu>
Steven Bellovin <smb@research.att.com>
Security Area Advisor:
Jeffrey Schiller <jis@mit.edu>
Mailing Lists:
General Discussion: ietf-krb-wg@anl.gov
To Subscribe: majordomo@anl.gov
In Body: subscribe ietf-krb-wg your_email_address
Archive: ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/
Description of Working Group:
Kerberos over the years has been ported to virtually every operating system. There are at least two open source versions, with numerous commercial versions based on these and other proprietary implementations. Kerberos evolution has continued over the years, and interoperability has been problematic. A number of draft proposals have been issued concerning aspects of new or extended functionality.

The group will strive to improve the interoperability of these systems while improving security.

Specifically, the Working Group will:

* Clarify and amplify the Kerberos specification (RFC 1510) to make sure interoperability problems encountered in the past that occurred because of unclear specifications do not happen again. The output of this process should be suitable for Draft Standard status.

* Select from existing proposals on new or extended functionality those that will add significant value while improving interoperability and security, and publish these as one or more Proposed Standards.

Goals and Milestones:
Done  First meeting
DEC 00  Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.
DEC 00  Charter Review, update of milestones and refinement of goals.
JAN 01  Submit the PKINIT document to the IESG for consideration as a Proposed Standard.
MAR 01  Charter Review, update of milestones and refinement of goals.
  • - draft-ietf-cat-kerberos-pk-init-16.txt
  • - draft-ietf-cat-iakerb-09.txt
  • - draft-ietf-krb-wg-krb-dns-locate-03.txt
  • - draft-ietf-cat-kerberos-set-passwd-06.txt
  • - draft-skibbie-krb-kdc-ldap-schema-02.txt
  • - draft-ietf-krb-wg-hw-auth-02.txt
  • - draft-ietf-krb-wg-crypto-03.txt
  • - draft-ietf-krb-wg-kerberos-clarifications-03.txt
  • - draft-ietf-krb-wg-utf8-profile-01.txt
  • - draft-skibbie-krb-kdckeys-ldap-schema-00.txt
  • - draft-ietf-krb-wg-kerberos-sam-01.txt
  • No Request For Comments

    Current Meeting Report

    The Kerberos WG met on 3/17/3 for about 1 and a half hours. In 
    attendance where approximately 53 people. 
    Doug Engert the chairman open the meeting, and a scribe was selected.  But 
    since the scribe's computer broke during the meeting, we don't have the 
    official notes, so this this is a compilation of notes from others.  So if 
    there is something missing, please get the comments to the list. 
    Sam gave a presentation on the recent Kerberos 4 
    vulnerabilities. Steve Bellovin wrote a paper on this subject in 1991 or 92, 
    but was one paragraph short of describing the attack.
    Cliff, and Ken talked on the three key drafts: Clarifications, KCRYPTO, and 
    AES as they need to progress together to WG last call. 
    Clarifications and AES are now ready for last call, KCRYPTO  needs some 
    minor changes and should be ready in a few days.  Clarifications has 
    already gone through a last call, so it expected to progress.  These three 
    drafts need to progress together, and need to progress before many of the 
    other drafts, including the Extensions draft. 
    Wyllys talked on the major revision of the 
    change-set-password draft, which is being positioned to work with 
    Clarifications and Extensions. 
    Jeff Altman, talked about the UTF-8 draft, and the SASL equivalent draft.  He 
    will be looking at merging them, with help from the SASL chair. This 
    should be a win-win situation for both WGs.
    Sasha addressed Packet Cable issues: 
       - PacketCable (VoIP security) is using a frozen version of Kerberos 
    revisions draft, before some features (e.g., keyed checksums) were 
    removed for interoperability with RFC 1510.
       - When Kerberos extensions is defined with those features removed from 
    clarifications, PacketCable may be able to at least optionally support an 
    IETF RFC for Kerberos extensions.
       - PacketCable is also using latest versions of PKINIT and PKCROSS IETF 
       - I didn't have any changes to report on the PKINIT draft; still have 
    same issues to address on UTF8 string encoding and translation from X.500 
    names to Kerberos principal names and realms.  Need to reference latest 
    crypto and clarifications drafts.
    I talked on the IAKERB  about how it had been before the IESG, for over a 
    year, but there has been some concerns about it.  It has being 
    withdrawn, and will be considered again if there is  substantial 
    interest. It should be update with regards to Extensions.  (Since then I 
    realize I should not have made this statement.  I and the AD have been in 
    contact with the author on this, and it is expected the draft will be 
    Sam further commented: 
    "I don't believe that iakerb is likely to have any issues with 
    clarifications, but the mode of iakerb that has reduced number of round 
    trips is likely to be incompatible with extensions because extensions will 
    integrity-protect  the request to make sure no changes are made."
    "I believe that one of iakerb, EAP krb5, , EAP GSS should actually go 
    forward.  Eap krb5 has been sketched out (although not publicly) but does 
    not really exist within the IETF context.  EAP GSS has significant 
    security issues and I hope it does not go forward at all.  Iakerb has 
    significant esthetic issues that we have discussed to death here.  I think we 
    should wait until there is clear interest either from the wireless or 
    dialup community that they want to use Kerberos and then work on one of 
    these mechanisms." 


    None received.