Common Authentication Technology Next Generation
charter-ietf-kitten-07-02
| Document | Proposed charter | Common Authentication Technology Next Generation WG (kitten) Snapshot | |
|---|---|---|---|
| Title | Common Authentication Technology Next Generation | ||
| Last updated | 2013-02-19 | ||
| State | IESG Review (Charter for Approval, Selected by Secretariat) Rechartering | ||
| WG | State | Active | |
| IESG | Responsible AD | Paul Wouters | |
| Charter edit AD | Stephen Farrell | ||
| Send notices to | kitten-chairs@tools.ietf.org |
Description of Working Group:
The purpose of the Common Authentication Technology Next Generation
(Kitten) working group (WG) is to develop extensions/improvements to the
GSS-API and to the Kerberos authentication system, shepherd specific
GSS-API security mechanisms, and provide guidance for any new
SASL-related submissions.
This charter combines the work of the Kerberos WG and the kitten WG (under the
aegis of the kitten WG). In places, it identifies which WG was previously home
for that work.
The working group will develop extensions and/or updates to the GSS-API,
working on specific items regarding credential management, replay cache
avoidance, error reporting, and supporting stateless and/or distributed
acceptors.
The working group will also maintain and improve upon the Kerberos
protocol, working on items regarding internationalization considering
alignment with the precis work, new initial
authentication types, authorization framework/data, replay cache
avoidance, cryptography advances, interop with 3rd party authentication,
and identity management.
In detail, both existing and new work items include:
Existing Working Group Items
SASL Mechanism for OAuth (draft-ietf-kitten-sasl-oauth)
SASL Mechansim for SAML-EC (draft-ietf-kitten-sasl-saml-ec)
GSS-API IANA Registry (draft-ietf-kitten-gssapi-extensions-iana)
KDC Model (draft-ietf-krb-wg-kdc-model)
PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility)
Kerberos IANA Registry (draft-ietf-kitten-kerberos-iana-registries)
Initial and Pass Through Authentication in Kerberos 5 (draft-ietf-krb-wg-iakerb)
Unencrypted Portion of Ticket Extensions (draft-ietf-krb-wg-ticket-extensions)
GSS-API Related
Provide new interfaces for credential management, which include the
following:
initializing credentials
iterating credentials
exporting/importing credentials
Negotiable replay cache avoidance
Define interfaces for better error message reporting.
Specify an option for exporting partially-established security
contexts and possibly a utility function for exporting security
contexts in an encrypted form, as well as a corresponding utility
function to decrypt and import such security context tokens.
Specify one-time password / two-factor authentication needs for SASL
applications. This could be achieved through an explicit new
GSS-API/SASL mechanism (e.g.,
http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00) or if
the consensus is that due to usability reasons, it is preferable to do
OTP/2FA through an higher level protocol
(Kerberos/OpenID/SAML/SAML20EC/EAP?) then prepare a document explaining
the usability problem and provide pointers for implementers.
Kerberos Related
Prepare, review, and advance standards-track and informational
specifications defining new authorization data types for carrying
supplemental information about the client to which a Kerberos ticket
has been issued and/or restrictions on what the ticket can be used
for. To enhance this ongoing authorization data work, a container
format supporting the use cases of draft-ietf-krb-wg-pad may be
standardized.
Prepare a standards-track protocol to solve the use cases addressed
by draft-hotz-kx509-01 including new support for digital signatures.
Today Kerberos requires a replay cache to be used in AP exchanges in
almost all cases. Replay caches are quite complex to implement
correctly, particularly in clustered systems. High-performance replay
caches are even more difficult to implement. The WG will pursue
extensions to minimize the need for replay caching, optimize replay
caching, and/or elide the need for replay caching.
Prepare, review, and advance standards-track and informational
specifications defining use of new cryptographic algorithms in the
Kerberos protocol using the RFC3961 framework, on an ongoing basis.
Cryptographic algorithms intended for standards track status must be of
good quality, have broad international support, and fill a definite need.
Prepare, review, and advance standards-track and informational
specifications of new pre-authentication types for the Kerberos
protocol, on an ongoing basis.
Prepare, review, and advance standards track updates and extensions to RFC4121,
as needed and on an ongoing basis.
Goals and Milestones
Mar 2013 draft-ietf-kitten-sasl-oauth to IESG
Mar 2013 draft-ietf-krb-wg-pkinit-alg-agility to IESG
Apr 2013 draft-ietf-kitten-sasl-saml-ec to IESG
Apr 2013 draft-ietf-krb-wg-iakerb to IESG
May 2013 draft-ietf-kitten-gssapi-extensions-iana to IESG
May 2013 draft-ietf-krb-wg-cammac to IESG
Jun 2013 draft-ietf-kitten-kerberos-iana-registries to IESG
Jun 2013 draft-ietf-krb-wg-pad to IESG
Jul 2013 Adopt work on one or more items for GSS-API cred management
Jul 2013 Adopt work on better error reporting in the GSS-API
Aug 2013 Adopt work on exporting partially-established GSS-API contexts
Aug 2013 draft-ietf-krb-wg-ticket-extensions to IESG
Sep 2013 Adopt work on the GSS-API for replay cache avoidance