Kerberos (krb-wg) ----------------- Charter Last Modified: 2010-03-25 Current Status: Active Working Group Chair(s): Jeffrey Hutzelman Larry Zhu Security Area Director(s): Sean Turner Tim Polk Security Area Advisor: Tim Polk Mailing Lists: General Discussion:ietf-krb-wg@lists.anl.gov To Subscribe: https://lists.anl.gov/mailman/listinfo/ietf-krb-wg Archive: https://lists.anl.gov/pipermail/ietf-krb-wg/ Description of Working Group: Kerberos over the years has been ported to virtually every operating system. There are at least two open source versions, with numerous commercial versions based on these and other proprietary implementations. Kerberos evolution has continued in recent years, with the development of a new crypto framework, publication of a new version of the Kerberos specification, support for initial authentication using public keys, and numerous extensions developed in and out of the IETF. However, wider deployment and advances in technology bring with them both new challenges and new opportunities, particularly with regard to making initial authentication of users to the Kerberos system both convenient and secure. In addition, several key features remain undefined. The Kerberos Working Group will continue to improve the core Kerberos specification, develop extensions to address new needs and technologies related to improving the process of client authentication, and produce specifications for missing functionality. Specifically, the Working Group will: * Complete existing work: - ECC for PKINIT (draft-zhu-pkinit-ecc-03.txt) - Set/Change Password (draft-ietf-krb-wg-kerberos-set-passwd-05.txt) - Naming Constraints (draft-ietf-krb-wg-naming-02.txt) - Anonymity (draft-ietf-krb-wg-anon-03.txt) - Hash agility for GSS-KRB5 (draft-ietf-krb-wg-gss-cb-hash-agility-00.txt) - Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-01.txt) - Referrals (draft-ietf-krb-wg-kerberos-referrals-08.txt) * Prepare and advance a specification for an updated, backward- compatible version of the Kerberos version 5 protocol which supports non-ASCII principal and realm names, salt strings, and passwords; insures that those portions of the protocol which are not encrypted are nonetheless authenticated whenever possible; and enables future protocol revisions and extensions. * Develop extensions which reduce or eliminate exposure of Kerberos clients' long-term keys to attack and enable the use of alternate mechanisms for initial authentication. This task will comprise the following items: - A model and framework for preauthentication mechanisms - A mechanism for providing a protected channel for carrying preauthentication data and/or a reply key between a Kerberos client and KDC, within the KDC_REQ/KDC_REP exchange. - Support for One-Time Passwords - Support for hardware authentication tokens - Support for using TLS to secure communications with Kerberos KDCs. * Examine issues related to the current cross-realm model, produce a list of problems to be solved, and evaluate approaches to solving them. * Develop extensions to Kerberos and a GSS-API mechanism (IAKERB) to enable Kerberos clients to communicate with a KDC by using a GSS-API acceptor as a proxy. * Produce a data model for information needed by the KDC, and an LDAP schema for management of that data. Goals and Milestones: Done First meeting Done Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard. Done Complete first draft of Pre-auth Framework Done Complete first draft of Extensions Done Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard Done Last Call on OCSP for PKINIT Done Consensus on direction for Change/Set password Done PKINIT to IESG Done Enctype Negotiation to IESG Done Last Call on PKINIT ECC Done TCP Extensibility to IESG Done ECC for PKINIT to IESG Done Naming Constraints to IESG Done Anonymity to IESG Done WGLC on preauth framework Done WGLC on OTP Done WGLC on data model Done WGLC on cross-realm issues Jan 2008 WGLC on Referrals Dec 2008 Set/Change Password to IESG Dec 2008 Hash agility for GSS-KRB5 to IESG Dec 2008 Hash agility for PKINIT to IESG Dec 2008 Anonymity back to IESG Done WGLC on IAKERB Done WGLC on STARTTLS Feb 2009 Data Model to IESG Feb 2009 OTP to IESG Apr 2010 WGLC on DHCPv6 Option Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Feb 2004 Jun 2010 A Generalized Framework for Kerberos Pre-Authentication Nov 2004 Aug 2010 Using Kerberos V5 over the Transport Layer Security (TLS) protocol Jun 2006 Aug 2010 Anonymity Support for Kerberos Jun 2006 Aug 2010 Additional Kerberos Naming Constraints Oct 2007 Apr 2010 OTP Pre-authentication Dec 2007 May 2010 An information model for Kerberos version 5 Feb 2008 Sep 2010 Kerberos Options for DHCPv6 Jul 2009 Jul 2010 Deprecate DES support for Kerberos Request For Comments: RFC Stat Published Title ------- -- ----------- ------------------------------------ RFC3962Standard Feb 2005 AES Encryption for Kerberos 5 RFC3961Standard Feb 2005 Encryption and Checksum Specifications for Kerberos 5 RFC4120Standard Jul 2005 The Kerberos Network Authentication Service (V5) RFC4121Standard Jul 2005 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 RFC4537 PS Jun 2006 Kerberos Cryptosystem Negotiation Extension RFC4556 PS Jun 2006 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) RFC4557 PS Jun 2006 Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) RFC5021 PS Aug 2007 Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over TCP RFC5349 I Sep 2008 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) RFC5868 I May 2010 Problem Statement on the Cross-Realm Operation of Kerberos