2.7.8 Kerberos (krb-wg)

NOTE: This charter is a snapshot of the 72nd IETF Meeting in Dublin, Ireland. It may now be out-of-date.
In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:

       Additional KRB-WG Web Page

Last Modified: 2008-03-13


Jeffrey Hutzelman <jhutz@cmu.edu>
Larry Zhu <lzhu@windows.microsoft.com>

Security Area Director(s):

Tim Polk <tim.polk@nist.gov>
Pasi Eronen <pasi.eronen@nokia.com>

Security Area Advisor:

Tim Polk <tim.polk@nist.gov>

Mailing Lists:

General Discussion: ietf-krb-wg@lists.anl.gov
To Subscribe: https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Archive: https://lists.anl.gov/pipermail/ietf-krb-wg/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued in recent years, with
the development of a new crypto framework, publication of a new version
of the Kerberos specification, support for initial authentication using
public keys, and numerous extensions developed in and out of the IETF.

However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, particularly with regard to
making initial authentication of users to the Kerberos system both
convenient and secure. In addition, several key features remain undefined.

The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to improving the process of client authentication, and produce
specifications for missing functionality.

Specifically, the Working Group will:

* Complete existing work:
- ECC for PKINIT (draft-zhu-pkinit-ecc-03.txt)
- Set/Change Password
- Naming Constraints (draft-ietf-krb-wg-naming-02.txt)
- Anonymity (draft-ietf-krb-wg-anon-03.txt)
- Hash agility for GSS-KRB5
- Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-01.txt)
- Referrals (draft-ietf-krb-wg-kerberos-referrals-08.txt)

* Prepare and advance a specification for an updated, backward-
compatible version of the Kerberos version 5 protocol which supports
non-ASCII principal and realm names, salt strings, and passwords;
insures that those portions of the protocol which are not encrypted are
nonetheless authenticated whenever possible; and enables future protocol
revisions and extensions.

* Develop extensions which reduce or eliminate exposure of Kerberos
clients' long-term keys to attack and enable the use of alternate
mechanisms for initial authentication. This task will comprise the
following items:
- A model and framework for preauthentication mechanisms
- A mechanism for providing a protected channel for carrying
preauthentication data and/or a reply key between a Kerberos
client and KDC, within the KDC_REQ/KDC_REP exchange.
- Support for One-Time Passwords
- Support for hardware authentication tokens
- Support for using TLS to secure communications with Kerberos KDCs.

* Examine issues related to the current cross-realm model, produce a
list of problems to be solved, and evaluate approaches to solving them.

* Develop extensions to Kerberos and a GSS-API mechanism (IAKERB) to
enable Kerberos clients to communicate with a KDC by using a GSS-API
acceptor as a proxy.

* Produce a data model for information needed by the KDC, and an LDAP
schema for management of that data.

Goals and Milestones:

Done  First meeting
Done  Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.
Done  Complete first draft of Pre-auth Framework
Done  Complete first draft of Extensions
Done  Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard
Done  Last Call on OCSP for PKINIT
Done  Consensus on direction for Change/Set password
Done  Enctype Negotiation to IESG
Done  Last Call on PKINIT ECC
Done  TCP Extensibility to IESG
Jul 2007  Set/Change Password to IESG
Jul 2007  Naming Constraints to IESG
Done  ECC for PKINIT to IESG
Aug 2007  Anonymity to IESG
Aug 2007  Hash agility for GSS-KRB5 to IESG
Aug 2007  Hash agility for PKINIT to IESG
Aug 2007  Choose direction for Kerberos v5.3
Sep 2007  WGLC on preauth framework
Nov 2007  WGLC on OTP
Nov 2007  WGLC on hardware preauth
Dec 2007  WGLC on data model
Dec 2007  WGLC on cross-realm issues
Jan 2008  WGLC on STARTTLS
Jan 2008  WGLC on Referrals
Mar 2008  WGLC on Kerberos v5.3
Mar 2008  WGLC on IAKERB
Mar 2008  WGLC on LDAP schema


  • draft-ietf-krb-wg-kerberos-referrals-10.txt
  • draft-ietf-krb-wg-kerberos-set-passwd-07.txt
  • draft-ietf-krb-wg-preauth-framework-07.txt
  • draft-zhu-pkinit-ecc-04.txt
  • draft-ietf-krb-wg-anon-05.txt
  • draft-ietf-krb-wg-naming-04.txt
  • draft-ietf-krb-wg-gss-cb-hash-agility-03.txt
  • draft-ietf-krb-wg-cross-problem-statement-02.txt
  • draft-ietf-krb-wg-otp-preauth-03.txt
  • draft-ietf-krb-wg-iakerb-00.txt
  • draft-ietf-krb-wg-kdc-model-01.txt

    Request For Comments:

    RFC3961 Standard Encryption and Checksum Specifications for Kerberos 5
    RFC3962 Standard AES Encryption for Kerberos 5
    RFC4120 Standard The Kerberos Network Authentication Service (V5)
    RFC4121 Standard The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
    RFC4537 PS Kerberos Cryptosystem Negotiation Extension
    RFC4556 PS Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
    RFC4557 PS Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
    RFC5021 PS Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over TCP

    Meeting Minutes


    KDC information model comments
    Last Call issues on Anonymous
    FAST and Pre-Authentication Framework