datatracker.ietf.org
Sign in
Version 5.6.2.p5, 2014-08-04
Report a bug

Kerberos
charter-ietf-krb-wg-08

Versions: 08
Charter for "Kerberos" (krb-wg) WG
WG State: Concluded
Charter State:
Responsible AD: none

Send notices to: none
Last updated: 2000-07-13

Other versions: plain text

Charter charter-ietf-krb-wg-08

Kerberos over the years has been ported to virtually every operating
  system.  There are at least two open source versions, with numerous
  commercial versions based on these and other proprietary implementations.
  Kerberos evolution has continued in recent years, with the development
  of new crypto and preauthentication frameworks, support for initial
  authentication using public keys, improved support for protecting
  clients' long-term keys during initial authentication, support for
  anonymous and partially-anonymous authentication, and numerous
  extensions developed in and out of the IETF.
  
  However, wider deployment and advances in technology bring with them
  both new challenges and new opportunities, such as exploring support
  for new mechanisms for initial authentication, new cryptographic
  technologies, and better integration of Kerberos with other systems
  for authentication, authorization, and identity management.
  In addition, several key features remain undefined.
  
  The Kerberos Working Group will continue to improve the core Kerberos
  specification, develop extensions to address new needs and technologies
  related to the areas described above, and produce specifications for
  missing functionality.
  
  
  Specifically, the Working Group will:
  
  * Complete existing work, including:
     - DHCP Option               (draft-sakane-dhc-dhcpv6-kdc-option-10.txt)
     - KDC Data Model            (draft-ietf-krb-wg-kdc-model-09.txt)
     - One-Time Passwords        (draft-ietf-krb-wg-otp-preauth-16.txt)
     - IAKERB                    (draft-ietf-krb-wg-iakerb-02.txt)
     - Single-DES Deprecation    (draft-lha-des-die-die-die-05.txt)
     - IANA registry creation (draft-lha-krb-wg-some-numbers-to-iana)
     - Hash agility for GSS-KRB5 (draft-ietf-krb-wg-gss-cb-hash-agility-06.txt)
     - Hash agility for PKINIT   (draft-ietf-krb-wg-pkinit-alg-agility-05.txt)
     - Referrals                 (draft-ietf-krb-wg-kerberos-referrals-12.txt)
     - Set/Change Password       (draft-ietf-krb-wg-kerberos-set-passwd-08.txt)
  
  * Prepare and advance one or more standards-track specifications which
    update the Kerberos version 5 protocol to support non-ASCII principal
    and realm names, salt strings, and passwords, and localized error
    reporting.  Maximizing backward compatibility is strongly desired.
    
  * Prepare and advance one or more standards-track specifications which
    update the Kerberos version 5 protocol in a backward-compatible way
    to support extending the unencrypted portion of a Kerberos ticket.
  
  * Prepare, review, and advance standards-track and informational
    specifications defining use of new cryptographic algorithms in the
    Kerberos protocol, on an ongoing basis.  
  
  * Prepare, review, and advance standards-track and informational
    specifications defining use of new cryptographic algorithms in
    Kerberos using the RFC3961 framework.  Cryptographic algorithms
    intended for standards track status must be of good quality, have
    broad international support, and fill a definite need.
  
  * Prepare, review, and advance standards-track and informational
    specifications defining new authorization data types for carrying
    supplemental information about the client to which a Kerberos ticket
    has been issued and/or restrictions on what the ticket can be used
    for. To enhance this ongoing authorization data work, a container
    format supporting the use cases of draft-sorce-krbwg-general-pac-01
    may be standardized.
  
  * Prepare a standards-track protocol to solve the use cases addressed
    by draft-hotz-kx509-01 including new support for digital signatures.
  
  * Prepare and advance one or more standards-track specifications
    which define mechanisms for establishing keys and configuration
    information used during authentication between Kerberos realms.
    
  * Prepare and advance a standards-track specification defining a
    format for the transport of Kerberos credentials within other
    protocols.
  
  * Today Kerberos requires a replay cache to be used in AP exchanges in
    almost all cases.  Replay caches are quite complex to implement
    correctly, particularly in clustered systems.  High-performance replay
    caches are even more difficult to implement.  The WG will pursue
    extensions to minimize the need for replay caching, optimize replay
    caching, and/or elide the need for replay caching.
  
  * Produce an LDAP schema for management of the KDC's database.