DRAFT Minutes for krb-wg at IETF61
** IETF 61 - San Diego, CA
** Kerberos Working Group
** Wed, Nov 10, 2004 - 13:30-15;30
Chair: Jeffrey Hutzelman
Scribes: Ken Hornstein, Jeffrey Altman, Wayne Morrison
+ Preliminaries - Jeffrey Hutzelman (5 min)
+ Document Status - Jeffrey Hutzelman (5 min)
+ Extensions - Tom Yu (30 min)
+ PKINIT - Brian Tung (20 min)
+ OCSP for PKINIT - Larry Zhu (5 min)
+ SHA-1 - Ken Raeburn (5 min)
+ Preauthentication Framework - Sam Hartman (15 min)
+ Referrals - Larry Zhu (5 min)
+ Set/Change Password - Nico Williams (10 min)
+ Update Milestones - Chair and Participants (10 min)
* Document Status
The chairs reviewed the status of several documents moving through
the IETF process, and solicited comments on a couple of issues...
+ Crypto Framework
- The crypto framework is near the top of the RFC-Editor queue,
and is expected to enter author's 48 hours in the next few
weeks. There are two changes of note which will be made in
- The first change is the inclusion of the PRF as discussed at
the last meeting and on the mailing list.
- The second change is a correction to the description of how
checksums are calculated for the DES enctypes. As written,
the document is inconsistent on whether checksums for these
enctypes should cover padding. Existing implementations do
include padding in the checksums, and the document will be
updated to specify that.
- The GSSAPI mechanism is still in the RFC-Editor queue.
- Larry believes it is important to import into this document
the text on name types from RFC1964 (with suitable updates
to references), so that implementors who are only targeting
"new" enctypes will be able to refer only to the new document.
This has been discussed with Russ, who will run the change
past the IESG if the WG agrees it is the right thing to do.
- The issue of the naming text is still under discussion on the
mailing list; please comment there.
- There is not a ticket for the naming issue.
- The AES document was approved by the IESG and is now in the
+ Kerberos Clarifications
- Clarifications was approved by the IESG and is now in the
RFC-Editor queue. We're going to try not to call it back...
+ GSSAPI Mechanism Extensions
- Nico has two documents which relate to extending the Kerberos
GSSAPI mechanism to support GSSAPI extensions being considered
- These documents will be worked on and discussed in the KITTEN
- Last call will occur in both KITTEN and KRB-WG.
- Any KRB-WG participants who are interested in these documents
but have no interest in the rest of KITTEN's work and would
have a problem with the work happening there should contact the
+ Tom Yu gave an overview of the current status of extensions and
some of the open issues.
+ There was a brief discussion on the issue of identifying typed
holes using relative OID's.
- Tom indicated there had been some concerns about using relative
rather than absolute OID's since it would restrict use to a
subset of the OID namespace which would likely contain only
an arc belonging to Kerberos.
- Sam indicated that this had been discussed in Boulder, and that
we should stick with the decision made there unless someone
specifically asked to reopen the issue.
- Someone asked whether built-in compression in encoding would
help with OID's with long prefixes. Tom indicated that the
constant previs could be fairly long.
- The chair reviewed the minutes from Boulder, and found that the
issue had been discussed extensively and while the minutes made
no mention of discussion specifically about absoulte-vs-relative,
the decision to allow OID's at all did specifically mention
- Discussion about OID assignment policy was deferred in Boulder,
and again today.
+ There was a discussion on notational conventions for referring
to ASN.1 types and fields in the body of the text.
- Clarifications is inconsistent on this point.
- Tom gave examples of 4 methods used in clarifications.
- There was strong agreement that the ALL_CAPS method was not good.
- Agreement to use single or double quotes at the editor's discretion.
+ Tom listed some issues which still need to be resolved, but which
were not discussed at the meeting.
+ The document will be republished as a WG document after the I-D
submission blackout period. There was some discussion about the
title and filename for the new document.
+ Brian Tung gave an overview of the status of PKINIT. Many of the
open issues have now been closed.
+ Larry Zhu will be joining Brian as co-editor of PKINIT.
+ DER vs BER has been resolved; thanks to all who participated.
+ Nico Williams will write up text for how to indicate PKINIT support.
+ Sam Hartman will write up comments on unauthenticated plaintext.
+ Larry Zhu will send a concrete proposal for client name mapping.
+ There was discussion of ticket #666, related to removing the
- It was previously proposed that this field be removed unless
someone could identify what it was for, and the field went
away in pkinit-20.
- Love pointed out that the field was for supporting the case
where the client's main cert was signing-only.
- The chair conducted a poll to determine whether there was a
desire to support solving the signing-only certs problem by
using encryption certs instead of DH. The sense of the room
was strongly in favor of considering DH sufficient.
- This issue will be revisited and validated on the list.
+ There was discussion of ticket #526, which is about the issue of
constraints on subjectAltName/OtherName/KRB5PrincipalName.
- Love Hörnquist-Åstrand pointed out there is currently no way
to have constraints on this field, so you can't do things like
issue a CA cert that is going only for one realm.
- Russ Housley pointed out this is because AnotherName can be
extended arbitrarily, so there is no way to have a defined
- Nico says if a client asserts a cname, it's up to the KDC to
- Love asks if an ASN.1-encoded structure as the value for the
otherName is a good idea, or if it should just be a string.
There does not seem to be agreement for a change.
- Sam Hartman says the strongest argument agsint doing constraints
is that the KDC is alwasys in the loop and can enforce any
name constraints it wants.
- Russ Housley says he finds KDC-in-the-loop a compelling argument.
- Jeffrey Hutzelman asked whether a constraint type defined in the
future could be made critical.
- Russ checked the specs, and determined that name constraints
MUST be critical.
- This issue can be addressed in the future without problems.
+ Sam Hartman made a proposal for handling of checksums in PKINIT
- The basic problem is that Kerberos checksums aren't intended to
be used for what PKINIT uses them for. They're good for Kerberos
operations, not random oracle DH operations. Some people have
suggested that kcrypto should provide suitable operations; Sam
has objected. Anything doing DH already has to do DH group
negotiation. Ken Raeburn went through the work of writing up
unkeyed SHA-1, but discovered it didn't fit the model.
- The proposal is to use a raw SHA-1 checksum now, and add a way
to do negotiation later.
- Sense of the room was in favor of not doing negotation now.
This will be revisited and validated on the mailing list.
* OCSP for PKINIT
+ Larry Zhu gave a presentation on the status of OCSP for PKINIT.
+ Draft was sent to the list, but there hasn't been any feedback.
Please read and post comments.
+ Draft will be last called soon.
+ There was no presentation on the SHA-1 document. Based on the
direction we've chosen for PKINIT, this document will likely be
allowed to expire.
* Preauthentication Framework
+ Sam Hartman talked briefly on the preauth framework. He is at the
point where he needs a co-editor.
+ There was dicussions as to which Kerberos rev to target.
- Sam asked whether we expect there to be enough clarifications-era
preauth mechanisms that the framework will be needed.
- Nico thinks preauth should target extensions.
- Agreement seems to be to target extensions only
+ This is low priority for now.
+ Larry Zhu gave a presentation on the current state of Referrals.
He believes the document is close to ready for last call, but it
has not received enough review.
* Set/Change Password
+ Nico Williams gave a non-presentation on the Set/Change Password
document. There have been no interesting developments since the
last meeting. The major at the issue at the moment is still
+ Nico asked for some indication that it is the consensus of the WG
that he is going in the right direction with this document.
* Update Milestones
+ The following new and updated milestones were agreed on:
DONE Complete first draft of Pre-auth framework
DONE Complete first draft of Extensions
Nov 2004 Last call on PKINIT
Nov 2004 Last call on OCSP for PKINIT
Feb 2005 Concensus on direction for Change/Set password
Mar 2005 Major issues resolved on Extensions
Jun 2005 Last call on Extensions
Jun 2005 Last call on Referrals
Sep 2005 Last call on Change/Set password
Sep 2005 Charter Review
DROP Submit Pre-auth Framework document to IESG...
DROP Submit PKCROSS to IESG...