Skip to main content

Common Authentication Technology Next Generation

Document Charter Common Authentication Technology Next Generation WG (kitten)
Title Common Authentication Technology Next Generation
Last updated 2022-03-23
State Approved
WG State Active
IESG Responsible AD Paul Wouters
Charter edit AD Paul Wouters
Send notices to (None)

The purpose of the Common Authentication Technology Next Generation
(Kitten) working group (WG) is to develop extensions/improvements to the
GSS-API and to the Kerberos authentication system, shepherd specific
GSS-API security mechanisms, and provide guidance for any new
SASL-related submissions.

This charter combines the work of the Kerberos WG and the kitten WG 
(under the aegis of the kitten WG).  In places, it identifies which WG 
was previously home for that work.

The working group will develop extensions and/or updates to the GSS-API,
working on specific items regarding credential management, replay cache
avoidance, error reporting, and supporting stateless and/or distributed

The working group will also maintain and improve upon the Kerberos
protocol, working on items regarding internationalization considering 
alignment with the precis work, new initial authentication types, 
authorization framework/data, replay cache avoidance, cryptography 
advances, interop with 3rd party authentication, and identity 

In detail, both existing and new work items include:

Existing Working Group Items
SASL Mechanism for OAuth (draft-ietf-kitten-sasl-oauth)
SASL Mechansim for SAML-EC (draft-ietf-kitten-sasl-saml-ec)
GSS-API IANA Registry (draft-ietf-kitten-gssapi-extensions-iana)
KDC Model (draft-ietf-krb-wg-kdc-model)
PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility)
Kerberos IANA Registry (draft-ietf-kitten-kerberos-iana-registries)
Initial and Pass Through Authentication in Kerberos 5 (draft-ietf-krb-wg-iakerb)
Unencrypted Portion of Ticket Extensions (draft-ietf-krb-wg-ticket-extensions)

GSS-API Related
Provide new interfaces for credential management, which include the
       initializing credentials
       iterating credentials
       exporting/importing credentials

Negotiable replay cache avoidance

Define interfaces for better error message reporting.

Specify an option for exporting partially-established security
      contexts and possibly a utility function for exporting security
      contexts in an encrypted form, as well as a corresponding utility
      function to decrypt and import such security context tokens.

Specify one-time password / two-factor authentication needs for SASL
      applications.  This could be achieved through an explicit new
      GSS-API/SASL mechanism (e.g., or if
      the consensus is that due to usability reasons, it is preferable 
      to do OTP/2FA through an higher level protocol
      (Kerberos/OpenID/SAML/SAML20EC/EAP?) then prepare a document 
      explaining the usability problem and provide pointers for 

Kerberos Related

Prepare, review, and advance standards-track and informational
      specifications defining new authorization data types for carrying
      supplemental information about the client to which a Kerberos 
      ticket has been issued and/or restrictions on what the ticket can 
      be used for. To enhance this ongoing authorization data work, a 
      container format supporting the use cases of draft-ietf-krb-wg-pad 
      may be standardized.

Prepare a standards-track protocol to solve the use cases addressed
      by draft-hotz-kx509-01 including new support for digital 

Today Kerberos requires a replay cache to be used in AP exchanges in
      almost all cases.  Replay caches are quite complex to implement
      correctly, particularly in clustered systems. High-performance 
      replay caches are even more difficult to implement.  The WG will 
      pursue extensions to minimize the need for replay caching, 
      optimize replay caching, and/or elide the need for replay caching.

Prepare, review, and advance standards-track and informational
      specifications defining use of new cryptographic algorithms in the
      Kerberos protocol using the RFC3961 framework, on an ongoing 
      basis.  Cryptographic algorithms intended for standards track 
      status must be of good quality, have broad international support, 
      and fill a definite need.

Prepare, review, and advance standards-track and informational
      specifications of new pre-authentication types for the Kerberos
      protocol, on an ongoing basis.

Prepare, review, and advance standards track updates and extensions to 
      RFC4121, as needed and on an ongoing basis.