Kerberos (krb-wg)
-----------------

 Charter
 Last Modified: 2009-01-12

 Current Status: Active Working Group

 Chair(s):
     Jeffrey Hutzelman  <jhutz@cmu.edu>
     Larry Zhu  <lzhu@windows.microsoft.com>

 Security Area Director(s):
     Tim Polk  <tim.polk@nist.gov>
     Pasi Eronen  <pasi.eronen@nokia.com>

 Security Area Advisor:
     Tim Polk  <tim.polk@nist.gov>

 Mailing Lists: 
     General Discussion:ietf-krb-wg@lists.anl.gov
     To Subscribe:      https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
     Archive:           https://lists.anl.gov/pipermail/ietf-krb-wg/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued in recent years, with
the development of a new crypto framework, publication of a new version
of the Kerberos specification, support for initial authentication using
public keys, and numerous extensions developed in and out of the IETF.

However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, particularly with regard to
making initial authentication of users to the Kerberos system both
convenient and secure. In addition, several key features remain undefined.

The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to improving the process of client authentication, and produce
specifications for missing functionality.


Specifically, the Working Group will:

* Complete existing work:
- ECC for PKINIT (draft-zhu-pkinit-ecc-03.txt)
- Set/Change Password
(draft-ietf-krb-wg-kerberos-set-passwd-05.txt)
- Naming Constraints (draft-ietf-krb-wg-naming-02.txt)
- Anonymity (draft-ietf-krb-wg-anon-03.txt)
- Hash agility for GSS-KRB5
(draft-ietf-krb-wg-gss-cb-hash-agility-00.txt)
- Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-01.txt)
- Referrals (draft-ietf-krb-wg-kerberos-referrals-08.txt)

* Prepare and advance a specification for an updated, backward-
compatible version of the Kerberos version 5 protocol which supports
non-ASCII principal and realm names, salt strings, and passwords;
insures that those portions of the protocol which are not encrypted are
nonetheless authenticated whenever possible; and enables future protocol
revisions and extensions.

* Develop extensions which reduce or eliminate exposure of Kerberos
clients' long-term keys to attack and enable the use of alternate
mechanisms for initial authentication. This task will comprise the
following items:
- A model and framework for preauthentication mechanisms
- A mechanism for providing a protected channel for carrying
preauthentication data and/or a reply key between a Kerberos
client and KDC, within the KDC_REQ/KDC_REP exchange.
- Support for One-Time Passwords
- Support for hardware authentication tokens
- Support for using TLS to secure communications with Kerberos KDCs.

* Examine issues related to the current cross-realm model, produce a
list of problems to be solved, and evaluate approaches to solving them.

* Develop extensions to Kerberos and a GSS-API mechanism (IAKERB) to
enable Kerberos clients to communicate with a KDC by using a GSS-API
acceptor as a proxy.

* Produce a data model for information needed by the KDC, and an LDAP
schema for management of that data.

 Goals and Milestones:

   Done         First meeting 

   Done         Submit the Kerberos Extensions document to the IESG for 
                consideration as a Proposed standard. 

   Done         Complete first draft of Pre-auth Framework 

   Done         Complete first draft of Extensions 

   Done         Submit K5-GSS-V2 document to IESG for consideration as a 
                Proposed Standard 

   Done         Last Call on OCSP for PKINIT 

   Done         Consensus on direction for Change/Set password 

   Done         PKINIT to IESG 

   Done         Enctype Negotiation to IESG 

   Done         Last Call on PKINIT ECC 

   Done         TCP Extensibility to IESG 

   Done         ECC for PKINIT to IESG 

   Done         Naming Constraints to IESG 

   Done         Anonymity to IESG 

   Sep 2007       WGLC on preauth framework 

   Done         WGLC on OTP 

   Done         WGLC on data model 

   Done         WGLC on cross-realm issues 

   Jan 2008       WGLC on Referrals 

   Dec 2008       Set/Change Password to IESG 

   Dec 2008       Hash agility for GSS-KRB5 to IESG 

   Dec 2008       Hash agility for PKINIT to IESG 

   Dec 2008       Anonymity back to IESG 

   Done         WGLC on IAKERB 

   Jan 2009       WGLC on STARTTLS 

   Feb 2009       Data Model to IESG 

   Feb 2009       OTP to IESG 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Feb 2004 Jun 2009   <draft-ietf-krb-wg-preauth-framework-12.txt>
                A Generalized Framework for Kerberos Pre-Authentication 

Oct 2007 Oct 2008   <draft-ietf-krb-wg-cross-problem-statement-03.txt>
                Problem statement on the cross-realm operation of Kerberos 

Oct 2007 Apr 2009   <draft-ietf-krb-wg-otp-preauth-10.txt>
                OTP Pre-authentication 

Dec 2007 Mar 2009   <draft-ietf-krb-wg-kdc-model-04.txt>
                An information model for Kerberos version 5 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC3962Standard  Feb 2005    AES Encryption for Kerberos 5 

RFC3961Standard  Feb 2005    Encryption and Checksum Specifications for Kerberos 5 

RFC4120Standard  Jul 2005    The Kerberos Network Authentication Service (V5) 

RFC4121Standard  Jul 2005    The Kerberos Version 5 Generic Security Service 
                       Application Program Interface (GSS-API) Mechanism: 
                       Version 2 

RFC4537 PS   Jun 2006    Kerberos Cryptosystem Negotiation Extension 

RFC4557 PS   Jun 2006    Online Certificate Status Protocol (OCSP) Support for 
                       Public Key Cryptography for Initial Authentication in 
                       Kerberos (PKINIT) 

RFC4556 PS   Jun 2006    Public Key Cryptography for Initial Authentication in 
                       Kerberos (PKINIT) 

RFC5021 PS   Aug 2007    Extended Kerberos Version 5 Key Distribution Center 
                       (KDC) Exchanges Over TCP 

RFC5349 I    Sep 2008    Elliptic Curve Cryptography (ECC) Support for Public Key 
                       Cryptography for Initial Authentication in Kerberos 
                       (PKINIT)