Kerberos (krb-wg)
-----------------

 Charter
 Last Modified: 2011-06-28

 Current Status: Active Working Group

 Chair(s):
     Jeffrey Hutzelman  <jhutz@cmu.edu>
     Larry Zhu  <larry.zhu@microsoft.com>
     Sam Hartman  <hartmans-ietf@mit.edu>

 Security Area Director(s):
     Stephen Farrell  <stephen.farrell@cs.tcd.ie>
     Sean Turner  <turners@ieca.com>

 Security Area Advisor:
     Stephen Farrell  <stephen.farrell@cs.tcd.ie>

 Mailing Lists: 
     General Discussion:ietf-krb-wg@lists.anl.gov
     To Subscribe:      https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
     Archive:           https://lists.anl.gov/pipermail/ietf-krb-wg/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating
system.  There are at least two open source versions, with numerous
commercial versions based on these and other proprietary implementations.
Kerberos evolution has continued in recent years, with the development
of new crypto and preauthentication frameworks, support for initial
authentication using public keys, improved support for protecting
clients' long-term keys during initial authentication, support for
anonymous and partially-anonymous authentication, and numerous
extensions developed in and out of the IETF.

However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, such as exploring support
for new mechanisms for initial authentication, new cryptographic
technologies, and better integration of Kerberos with other systems
for authentication, authorization, and identity management.
In addition, several key features remain undefined.

The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to the areas described above, and produce specifications for
missing functionality.


Specifically, the Working Group will:

* Complete existing work, including:
   - DHCP Option               (draft-sakane-dhc-dhcpv6-kdc-option-10.txt)
   - KDC Data Model            (draft-ietf-krb-wg-kdc-model-09.txt)
   - One-Time Passwords        (draft-ietf-krb-wg-otp-preauth-16.txt)
   - IAKERB                    (draft-ietf-krb-wg-iakerb-02.txt)
   - Single-DES Deprecation    (draft-lha-des-die-die-die-05.txt)
   - IANA registry creation (draft-lha-krb-wg-some-numbers-to-iana)
   - Hash agility for GSS-KRB5 (draft-ietf-krb-wg-gss-cb-hash-agility-06.txt)
   - Hash agility for PKINIT   (draft-ietf-krb-wg-pkinit-alg-agility-05.txt)
   - Referrals                 (draft-ietf-krb-wg-kerberos-referrals-12.txt)
   - Set/Change Password       (draft-ietf-krb-wg-kerberos-set-passwd-08.txt)

* Prepare and advance one or more standards-track specifications which
  update the Kerberos version 5 protocol to support non-ASCII principal
  and realm names, salt strings, and passwords, and localized error
  reporting.  Maximizing backward compatibility is strongly desired.
  
* Prepare and advance one or more standards-track specifications which
  update the Kerberos version 5 protocol in a backward-compatible way
  to support extending the unencrypted portion of a Kerberos ticket.

* Prepare, review, and advance standards-track and informational
  specifications defining use of new cryptographic algorithms in the
  Kerberos protocol, on an ongoing basis.  

* Prepare, review, and advance standards-track and informational
  specifications defining use of new cryptographic algorithms in
  Kerberos using the RFC3961 framework.  Cryptographic algorithms
  intended for standards track status must be of good quality, have
  broad international support, and fill a definite need.

* Prepare, review, and advance standards-track and informational
  specifications defining new authorization data types for carrying
  supplemental information about the client to which a Kerberos ticket
  has been issued and/or restrictions on what the ticket can be used
  for. To enhance this ongoing authorization data work, a container
  format supporting the use cases of draft-sorce-krbwg-general-pac-01
  may be standardized.

* Prepare a standards-track protocol to solve the use cases addressed
  by draft-hotz-kx509-01 including new support for digital signatures.

* Prepare and advance one or more standards-track specifications
  which define mechanisms for establishing keys and configuration
  information used during authentication between Kerberos realms.
  
* Prepare and advance a standards-track specification defining a
  format for the transport of Kerberos credentials within other
  protocols.

* Today Kerberos requires a replay cache to be used in AP exchanges in
  almost all cases.  Replay caches are quite complex to implement
  correctly, particularly in clustered systems.  High-performance replay
  caches are even more difficult to implement.  The WG will pursue
  extensions to minimize the need for replay caching, optimize replay
  caching, and/or elide the need for replay caching.

* Produce an LDAP schema for management of the KDC's database.
 Goals and Milestones:

   Done         First meeting 

   Done         Submit the Kerberos Extensions document to the IESG for 
                consideration as a Proposed standard. 

   Done         Complete first draft of Pre-auth Framework 

   Done         Complete first draft of Extensions 

   Done         Submit K5-GSS-V2 document to IESG for consideration as a 
                Proposed Standard 

   Done         Last Call on OCSP for PKINIT 

   Done         Consensus on direction for Change/Set password 

   Done         PKINIT to IESG 

   Done         Enctype Negotiation to IESG 

   Done         Last Call on PKINIT ECC 

   Done         TCP Extensibility to IESG 

   Done         ECC for PKINIT to IESG 

   Done         Naming Constraints to IESG 

   Done         Anonymity to IESG 

   Done         WGLC on preauth framework 

   Done         WGLC on OTP 

   Done         WGLC on data model 

   Done         WGLC on cross-realm issues 

   Done         WGLC on IAKERB 

   Done         Anonymity back to IESG 

   Done         WGLC on STARTTLS 

   Done         WGLC on DHCPv6 Option 

   Done         draft-ietf-krb-wg-clear-text-cred to IESG 

   Aug 2011       draft-ietf-krbwg-camellia-cts to IESG 

   Aug 2011       draft-ietf-krb-wg-des-die-die-die to IESG 

   Sep 2011       DHCP option for Kerberos to IESG 

   Oct 2011       Internationalized error support to IESG 

   Oct 2011       draft-ietf-krb-wg-pkinit-alg-agility to IESG 

   Dec 2011       Kerberos PAD authorization data to IESG 

   Dec 2011       Consider adopting kx509bis in response to use cases in 
                draft-hotz-kx509-01 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Mar 2001 Mar 2011   <draft-ietf-krb-wg-kerberos-referrals-12.txt>
                Kerberos Principal Name Canonicalization and KDC-Generated 
                Cross-Realm Referrals 

Nov 2006 May 2011   <draft-ietf-krb-wg-gss-cb-hash-agility-07.txt>
                Kerberos Version 5 GSS-API Channel Binding Hash Agility 

Oct 2007 Jul 2011   <draft-ietf-krb-wg-otp-preauth-18.txt>
                OTP Pre-authentication 

Dec 2007 May 2011   <draft-ietf-krb-wg-kdc-model-10.txt>
                An information model for Kerberos version 5 

Feb 2008 Jul 2011   <draft-sakane-dhc-dhcpv6-kdc-option-12.txt>
                Kerberos Options for DHCPv6 

Jun 2011 Jul 2011   <draft-ietf-krb-wg-clear-text-cred-01.txt>
                The Unencrypted Form Of Kerberos 5 KRB-CRED Message 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC3962Standard  Feb 2005    AES Encryption for Kerberos 5 

RFC3961Standard  Feb 2005    Encryption and Checksum Specifications for Kerberos 5 

RFC4120Standard  Jul 2005    The Kerberos Network Authentication Service (V5) 

RFC4121Standard  Jul 2005    The Kerberos Version 5 Generic Security Service 
                       Application Program Interface (GSS-API) Mechanism: 
                       Version 2 

RFC4537 PS   Jun 2006    Kerberos Cryptosystem Negotiation Extension 

RFC4557 PS   Jun 2006    Online Certificate Status Protocol (OCSP) Support for 
                       Public Key Cryptography for Initial Authentication in 
                       Kerberos (PKINIT) 

RFC4556 PS   Jun 2006    Public Key Cryptography for Initial Authentication in 
                       Kerberos (PKINIT) 

RFC5021 PS   Aug 2007    Extended Kerberos Version 5 Key Distribution Center 
                       (KDC) Exchanges Over TCP 

RFC5349 I    Sep 2008    Elliptic Curve Cryptography (ECC) Support for Public Key 
                       Cryptography for Initial Authentication in Kerberos 
                       (PKINIT) 

RFC5868 I    May 2010    Problem Statement on the Cross-Realm Operation of 
                       Kerberos 

RFC6111 PS   Apr 2011    Additional Kerberos Naming Constraints 

RFC6112 PS   Apr 2011    Anonymity Support for Kerberos 

RFC6113 PS   Apr 2011    A Generalized Framework for Kerberos Pre-Authentication 

RFC6251 I    May 2011    Using Kerberos Version 5 over the Transport Layer 
                       Security (TLS) Protocol