Kerberos (krb-wg)
-----------------
Charter
Last Modified: 2006-10-17
Current Status: Active Working Group
Chair(s):
Jeffrey Hutzelman <jhutz@cmu.edu>
Security Area Director(s):
Russ Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>
Security Area Advisor:
Sam Hartman <hartmans-ietf@mit.edu>
Mailing Lists:
General Discussion:ietf-krb-wg@anl.gov
To Subscribe: majordomo@anl.gov
In Body: subscribe ietf-krb-wg your_email_address
Archive: ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/
Description of Working Group:
Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued over the years, and
interoperability has been problematic. A number of draft proposals
have been issued concerning aspects of new or extended functionality.
The group will strive to improve the interoperability of these
systems while improving security.
Specifically, the Working Group will:
* Clarify and amplify the Kerberos specification (RFC 1510) to make
sure
interoperability problems encountered in the past that occurred
because of unclear specifications do not happen again. The output of
this process should be suitable for Draft Standard status.
* Select from existing proposals on new or extended functionality those
that will add significant value while improving interoperability and
security, and publish these as one or more Proposed Standards.
Goals and Milestones:
Done First meeting
Done Submit the Kerberos Extensions document to the IESG for
consideration as a Proposed standard.
Done Complete first draft of Pre-auth Framework
Done Complete first draft of Extensions
Done Submit K5-GSS-V2 document to IESG for consideration as a
Proposed Standard
Done Last Call on OCSP for PKINIT
Done Consensus on direction for Change/Set password
Done PKINIT to IESG
Done Enctype Negotiation to IESG
Done Last Call on PKINIT ECC
Mar 2006 Review milestones
Mar 2006 Issues identified for Anonymous
Jun 2006 Major issues resolved on Extensions
Aug 2006 Last Call on Extensions
Aug 2006 Last Call on Referrals
Sep 2006 Last Call on Change/Set password
Internet-Drafts:
Posted Revised I-D Title <Filename>
------ ------- --------------------------------------------
Jul 2001 Oct 2006 <draft-ietf-krb-wg-hw-auth-04.txt>
Passwordless Initial Authentication to Kerberos by Hardware
Preauthentication
May 2003 Jul 2006 <draft-ietf-krb-wg-kerberos-set-passwd-05.txt>
Kerberos Set/Change Key/Password Protocol Version 2
Feb 2004 Oct 2006 <draft-ietf-krb-wg-preauth-framework-04.txt>
A Generalized Framework for Kerberos Pre-Authentication
Jan 2005 Oct 2006 <draft-ietf-krb-wg-rfc1510ter-03.txt>
The Kerberos Network Authentication Service (Version 5)
Sep 2005 Sep 2006 <draft-zhu-pkinit-ecc-02.txt>
ECC Support for PKINIT
May 2006 Sep 2006 <draft-ietf-krb-wg-tcp-expansion-01.txt>
Extended Kerberos Version 5 Key Distribution Center (KDC)
Exchanges Over TCP
Jun 2006 Oct 2006 <draft-ietf-krb-wg-anon-02.txt>
Anonymity Support for Kerberos
Jun 2006 Oct 2006 <draft-ietf-krb-wg-naming-01.txt>
Additional Kerberos Naming Constraits
Jun 2006 Oct 2006 <draft-ietf-krb-wg-pkinit-alg-agility-01.txt>
PK-INIT algorithm agility
Nov 2006 Nov 2006 <draft-ietf-krb-wg-gss-cb-hash-agility-00.txt>
Kerberos Version 5 GSS-API Channel Binding Hash Agility
Request For Comments:
RFC Stat Published Title
------- -- ----------- ------------------------------------
RFC3962Standard Feb 2005 AES Encryption for Kerberos 5
RFC3961Standard Feb 2005 Encryption and Checksum Specifications for Kerberos 5
RFC4120Standard Jul 2005 The Kerberos Network Authentication Service (V5)
RFC4121Standard Jul 2005 The Kerberos Version 5 Generic Security Service
Application Program Interface (GSS-API) Mechanism:
Version 2
RFC4537 PS Jun 2006 Kerberos Cryptosystem Negotiation Extension
RFC4557 PS Jun 2006 Online Certificate Status Protocol (OCSP) Support for
Public Key Cryptography for Initial Authentication in
Kerberos (PKINIT)
RFC4556 PS Jun 2006 Public Key Cryptography for Initial Authentication in
Kerberos (PKINIT)