2.6.2 Kerberos WG (krb-wg)

NOTE: This charter is a snapshot of the 59th IETF Meeting in Seoul, Korea. It may now be out-of-date.

Last Modified: 2004-02-13

Douglas Engert <deengert@anl.gov>
Jeffrey Hutzelman <jhutz@cmu.edu>
Security Area Director(s):
Russell Housley <housley@vigilsec.com>
Steven Bellovin <smb@research.att.com>
Security Area Advisor:
Russell Housley <housley@vigilsec.com>
Mailing Lists:
General Discussion: ietf-krb-wg@anl.gov
To Subscribe: majordomo@anl.gov
In Body: subscribe ietf-krb-wg your_email_address
Archive: ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/
Description of Working Group:
Kerberos over the years has been ported to virtually every operating system. There are at least two open source versions, with numerous commercial versions based on these and other proprietary implementations. Kerberos evolution has continued over the years, and interoperability has been problematic. A number of draft proposals have been issued concerning aspects of new or extended functionality.

The group will strive to improve the interoperability of these systems while improving security.

Specifically, the Working Group will:

* Clarify and amplify the Kerberos specification (RFC 1510) to make sure interoperability problems encountered in the past that occurred because of unclear specifications do not happen again. The output of this process should be suitable for Draft Standard status.

* Select from existing proposals on new or extended functionality those that will add significant value while improving interoperability and security, and publish these as one or more Proposed Standards.

Goals and Milestones:
Done  First meeting
Dec 00  Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.
Dec 03  Complete first draft of Pre-auth Framework
Jan 04  Complete first draft of Extensions
Done  Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard
Mar 04  Submit the PKINIT document to the IESG for consideration as a Proposed Standard.
Apr 04  Submit Extensions document to IESG for consideration as a Proposed Standard
Apr 04  Submit Change/Set Password document to IESG for consideration as a Proposed Standard
May 04  Submit Pre-auth Framework document to IESG for consideration as a Proposed Standard
Oct 04  Submit PKCROSS to IESG for consideration as a Proposed Standard
Nov 04  Charter Review, update of milestones and refinement of goals.
  • -draft-ietf-cat-kerberos-pk-init-18.txt
  • -draft-ietf-krb-wg-kerberos-referrals-03.txt
  • -draft-ietf-krb-wg-crypto-07.txt
  • -draft-ietf-krb-wg-kerberos-clarifications-05.txt
  • -draft-ietf-krb-wg-kerberos-sam-02.txt
  • -draft-ietf-krb-wg-kerberos-set-passwd-01.txt
  • -draft-ietf-krb-wg-gssapi-cfx-07.txt
  • -draft-ietf-krb-wg-preauth-framework-00.txt
  • No Request For Comments

    Current Meeting Report

    Kerberos WG  (krb-wg)
    THURSDAY, March 4, 2004
    Sapphire 1
     Chairs: Douglas Engert  (not present), Jeffrey Hutzelman 
     Scribe: Richard Graveman 
    INTRODUCTION: Jeff Hutzelman
        Jabber was used also by a majority of the WG, about 20 people. 
        There were no changes to the agenda.
    Several documents were sent to the IESG: 
       crypto framework (draft-ietf-krb-wg-crypto-07): New version was sent out before the 
           meeting. All issues should be resolved (Hartman). Waiting for the AD. IANA 
           considerations need to be checked.
       clarifications   (draft-ietf-krb-wg-kerberos-clarifications-05): BCN sent a new 
           version and believes all issues are resolved. Back to the AD. RH reported 
           three "discuss" votes.
       GSSAPI-CFX       (draft-ietf-krb-wg-gssapi-cfx-06): RH sent comments and the author 
           responded before the cut off. There was one more acknowledgment quest to be  
           dealt with editorial. Currently in WG LC.
    KERBEROS-EXTENSIONS Status Update - Sam Hartman 
        In fairly good shape on protocol. The issue tracker will be changed. Text from 
        BCN has not arrived. Clarifications in 1510 may need change (Tom Yu). 
        Alternate Structure - Sam Hartman, for Tom Yu (draft-yu-krb-wg-kerberos-extensions-00)
        Currently a skeletal individual submission. Alternative structure, but should describe
        the same wire protocol. Motivations for change were clarity and removing 
        verbosity especially sections 3 and 5. Semantics embedded in Section 5; partial  
        material in Section 3 is hard to understand in one pass. Goals are to start with an  
        overview, get a good hierarchical structure, put semantics in one place with message 
        definitions, and remove implementation specific detail. Overview information will precede 
        message descriptions. Treat TGS and AS requests as specializations of the KDC request. 
        Work from common elements to differences. Describe Kerberos in terms of ASN.1 types. 
        The new layout is Overview, Basic Concepts, Individual Sections for the Three Protocols 
        of Kerberos, IANA, Security, etc. 
        The Overview explains TTP, use of symmetric crypto, 
        the three protocols. ASN.1 use, Principals, and Encrypted Data, Tickets.
           Credentials Acquisition
           Application Authentication
           Session key use
        It describes common elements of KDC request handling; better discussion of keys; 
        clear up time handling (interactions of different time fields; who updates what). 
        Missing naming issues, transport, and typed holes. There are some protocol differences 
        (nonces, checksums, etc.).
        Use text from Clarifications.
        Questions and discussion: 
        Only a few people had read the proposal.
        Is the structure better than the structure of Clarifications? 
        All who had an opinion thought this was an improvement. Easier for implementers. 
        Which structure should be adopted? Either approach requires work; we should therefore 
        pick one. Support for new structure. Detail still needs to be filled in. More discussion 
        on the ML. 
    REFERRALS (draft-ietf-keb-wg-kerberos-referrals-03)
        Nothing was presented.
    PKINIT (draft-ietf-cat-kerberos-pk-init-18)
        Work Status and Open Issues - Chair
        Submitted before cut off. Pretty much up to date with all identified issues. Still 
        on track for March WG LC and submission to IESG. Push from Vienna IETF to get this 
        done. CableLabs hosted interim meeting; list of issues posted and tracked. Several 
        items resolved on ML and in Minneapolis (confirmed on ML). All text received and  
        incorporated. Issues:
           SubjectAltName for user cert
              Comments from Brian included proposed text. Will be posted on the ML. 
           Client name canonicalization problems (Nico Williams)
              Resolved recently. Believe there is consensus. Yes; clients need to include 
              a name in PKINIT AS requests. Name returned by the KDC must match. 
              Better text now exists. One minor point is still being discussed on the ML.
          Preauth Type Numbers
              Earlier drafts had different message numbers. This is likely to be resolved 
              quickly. Brian asked whether RH wants to see this before it goes to LC. Yes; 
              it will be emailed to him when the text is stable. 
         Eric Rosenthal and Doc Evens will do an editorial review before WG LC.
    PREAUTHENTICATION FRAMEWORK, Sam Hartman (draft-ietf-krb-wg-preauth-framework-00)
        At the previous WG meeting, work was started. A first draft describes in more 
        detail how preauthentication works (at the client). An "authentication fashion" 
        exists at the client. The client keeps track of keys and other state. There may be  
        multiple round trips; the KDC is stateless. The mechanism needs to provide cookies 
        back to the KDC. The extensibility model needs to deal with the set of mechanisms and 
        key change. All of this has to e wrapped in the proposal. (The alternative is that one 
        knows already that the mechanism is supported.)
        State management is also described. The issue is that much of this was never documented.
        The remaining (hard) stuff includes:
          1.     The KDC cannot deal with combinations of methods. This will be out of scope.
          2.     Multi-round requests, signatures, and binding have to be done with a stateless KDC.
          3.     Nonces and signatures need more clarification. 
        Some items will be deferred until the Extensions model can be used. What depends just 
        on Clarifications will be included. Discussion will take place on the ML. The hope is to 
        make this useful with respect to Clarifications and not broken by Extensions. 
        Concluding discussion and open microphone:
          1.      The schedule needs to be revisited.
          2.      More information was requested on referrals.
    The meeting adjourned at 10:04.
      * WG: Remaining PKINIT issues (SubjectAltName, cname canonicalization,
        OCSP text) to be resolved on list by March 15
      * Brian Tung: send new PKINIT to reviewers by March 22
      * various: PKINIT review done by March 29
      * brian tung: send new PKINIT to I-D repository by April 2
      * chairs: review kerberos-clarifications and send back to IESG if ready
      * chairs: review kcrypto and send back to IESG if ready
    Many of the members of the WG, about 20  where participating via Jabber,
    and the Jabber logs can be found at: 
    (Personal thanks to Richard Graveman  for writing up the minutes.) 


    Agenda Reorganizing Kerberos Extensions