Common Authentication Technology Next Generation
charter-ietf-kitten-08

WG review announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: kitten WG <kitten@ietf.org> 
Subject: WG Review: Common Authentication Technology Next Generation (kitten)

The Common Authentication Technology Next Generation (kitten) working
group in the Security Area of the IETF is undergoing rechartering. The
IESG has not made any determination yet. The following draft charter was
submitted, and is provided for informational purposes only. Please send
your comments to the IESG mailing list (iesg at ietf.org) by 2013-02-19.

Common Authentication Technology Next Generation (kitten)
------------------------------------------------
Current Status: Active Working Group

Chairs:
  Shawn Emery <shawn.emery@oracle.com>
  Josh Howlett <josh.howlett@ja.net>
  Sam Hartman <hartmans-ietf@mit.edu>

Secretaries:
  Simon Josefsson <simon@josefsson.org>

Assigned Area Director:
  Stephen Farrell <stephen.farrell@cs.tcd.ie>

Mailing list
  Address: kitten@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/kitten
  Archive: http://www.ietf.org/mail-archive/web/kitten/

Charter of Working Group:

Description of Working Group:
------------------------------------------

The purpose of the Common Authentication Technology Next Generation
(Kitten) working group (WG) is to develop extensions/improvements to the
GSS-API and to the Kerberos authentication system, shepherd specific
GSS-API security mechanisms, and provide guidance for any new
SASL-related submissions.

This charter combines the work of the Kerberos WG and the kitten WG
(under the aegis of the kitten WG).  In places, it identifies which WG 
was previously home for that work.

The working group will develop extensions and/or updates to the GSS-API,
working on specific items regarding credential management, replay cache
avoidance, error reporting, and supporting stateless and/or distributed
acceptors. 

The working group will also maintain and improve upon the Kerberos
protocol, working on items regarding internationalization, new initial
authentication types, authorization framework/data, replay cache
avoidance, cryptography advances, interop with 3rd party authentication,
and identity management.

In detail, both existing and new work items include:

Existing Working Group Items
---------------------------
SASL Mechanism for OAuth (draft-ietf-kitten-sasl-oauth)
SASL Mechansim for SAML-EC (draft-ietf-kitten-sasl-saml-ec)
GSS-API IANA Registry (draft-ietf-kitten-gssapi-extensions-iana)
KDC Model (draft-ietf-krb-wg-kdc-model)
PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility)
Kerberos IANA Registry (draft-ietf-kitten-kerberos-iana-registries)
Initial and Pass Through Authentication in Kerberos 5
(draft-ietf-krb-wg-iakerb)
Unencrypted Portion of Ticket Extensions
(draft-ietf-krb-wg-ticket-extensions)

GSS-API Related
---------------
Provide new interfaces for credential management, which include the
      following:
       initializing credentials
       iterating credentials
       exporting/importing credentials

Negotiable replay cache avoidance

Define interfaces for better error message reporting.

Specify an option for exporting partially-established security
      contexts and possibly a utility function for exporting security
      contexts in an encrypted form, as well as a corresponding utility
      function to decrypt and import such security context tokens.

Specify one-time password / two-factor authentication needs for SASL
      applications.  This could be achieved through an explicit new
      GSS-API/SASL mechanism (e.g.,
      http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00) or if
      the consensus is that due to usability reasons, it is preferable 
      to do OTP/2FA through an higher level protocol
      (Kerberos/OpenID/SAML/SAML20EC/EAP?) then prepare a 
      document explaining the usability problem and provide pointers 
      for implementers.

Kerberos Related
----------------
Prepare and advance one or more standards-track specifications which
      update the Kerberos version 5 protocol to support non-ASCII
      principal and realm names, salt strings, and passwords, and 
      localized error reporting.  Maximizing backward compatibility is 
      strongly desired.

Prepare, review, and advance standards-track and informational
      specifications defining new authorization data types for carrying
      supplemental information about the client to which a Kerberos
      ticket has been issued and/or restrictions on what the ticket can 
      be used for. To enhance this ongoing authorization data work, a 
      container format supporting the use cases of draft-ietf-krb-wg-pad 
      may be standardized.

Prepare a standards-track protocol to solve the use cases addressed
      by draft-hotz-kx509-01 including new support for digital
      signatures.

Today Kerberos requires a replay cache to be used in AP exchanges in
      almost all cases.  Replay caches are quite complex to implement
      correctly, particularly in clustered systems. High-performance
      replay caches are even more difficult to implement.  The WG 
      will pursue extensions to minimize the need for replay caching, 
      optimize replay caching, and/or elide the need for replay caching.

Prepare, review, and advance standards-track and informational
      specifications defining use of new cryptographic algorithms in the
      Kerberos protocol using the RFC3961 framework, on an ongoing basis.
 
      Cryptographic algorithms intended for standards track status must
      be of good quality, have broad international support, and fill a 
      definite need.

Prepare, review, and advance standards-track and informational
      specifications of new pre-authentication types for the Kerberos
      protocol, on an ongoing basis.

Prepare, review, and advance standards track updates and extensions to
     RFC4121, as needed and on an ongoing basis.

Goals and Milestones
--------------------

Mar 2013       draft-ietf-kitten-sasl-oauth to IESG
Mar 2013       draft-ietf-krb-wg-pkinit-alg-agility to IESG
Apr 2013       draft-ietf-kitten-sasl-saml-ec to IESG
Apr 2013       draft-ietf-krb-wg-iakerb to IESG
May 2013       draft-ietf-kitten-gssapi-extensions-iana to IESG
May 2013       draft-ietf-krb-wg-cammac to IESG
Jun 2013       draft-ietf-kitten-kerberos-iana-registries to IESG
Jun 2013       draft-ietf-krb-wg-pad to IESG
Jul 2013       Adopt work on one or more items for GSS-API cred
management
Jul 2013       Adopt work on better error reporting in the GSS-API
Aug 2013       Adopt work on exporting partially-established GSS-API
contexts
Aug 2013       draft-ietf-krb-wg-ticket-extensions to IESG
Sep 2013       Adopt work on the GSS-API for replay cache avoidance
  



Milestones:
  Jul 2011 - Submit SASL OpenID mechanism to the IESG as Proposed
Standard
  Jul 2011 - Submit naming-exts to the IESG as Proposed Standard
  Jul 2011 - WGLC on gssapi-extensions-iana
  Aug 2011 - Submit SASL SAML mechanisms to the IESG as Proposed Standard
  Sep 2011 - Submit gssapi-extensions-iana to the IESG as Proposed
Standard


WG action announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: kitten WG <kitten@ietf.org> 
Subject: WG Action: Rechartered Common Authentication Technology Next Generation (kitten)

The Common Authentication Technology Next Generation (kitten) working
group in the Security Area of the IETF has been rechartered. For
additional information please contact the Area Directors or the WG
Chairs.

Common Authentication Technology Next Generation (kitten)
------------------------------------------------
Current Status: Active Working Group

Chairs:
  Shawn Emery <shawn.emery@oracle.com>
  Josh Howlett <josh.howlett@ja.net>
  Sam Hartman <hartmans-ietf@mit.edu>

Secretaries:
  Simon Josefsson <simon@josefsson.org>

Assigned Area Director:
  Stephen Farrell <stephen.farrell@cs.tcd.ie>

Mailing list
  Address: kitten@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/kitten
  Archive: http://www.ietf.org/mail-archive/web/kitten/

Charter of Working Group:

The purpose of the Common Authentication Technology Next Generation
(Kitten) working group (WG) is to develop extensions/improvements to the
GSS-API and to the Kerberos authentication system, shepherd specific
GSS-API security mechanisms, and provide guidance for any new
SASL-related submissions.

This charter combines the work of the Kerberos WG and the kitten WG 
(under the aegis of the kitten WG).  In places, it identifies which WG 
was previously home for that work.

The working group will develop extensions and/or updates to the GSS-API,
working on specific items regarding credential management, replay cache
avoidance, error reporting, and supporting stateless and/or distributed
acceptors. 

The working group will also maintain and improve upon the Kerberos
protocol, working on items regarding internationalization considering 
alignment with the precis work, new initial authentication types, 
authorization framework/data, replay cache avoidance, cryptography 
advances, interop with 3rd party authentication, and identity 
management.

In detail, both existing and new work items include:

Existing Working Group Items
---------------------------
SASL Mechanism for OAuth (draft-ietf-kitten-sasl-oauth)
SASL Mechansim for SAML-EC (draft-ietf-kitten-sasl-saml-ec)
GSS-API IANA Registry (draft-ietf-kitten-gssapi-extensions-iana)
KDC Model (draft-ietf-krb-wg-kdc-model)
PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility)
Kerberos IANA Registry (draft-ietf-kitten-kerberos-iana-registries)
Initial and Pass Through Authentication in Kerberos 5
(draft-ietf-krb-wg-iakerb)
Unencrypted Portion of Ticket Extensions
(draft-ietf-krb-wg-ticket-extensions)

GSS-API Related
---------------
Provide new interfaces for credential management, which include the
      following:
       initializing credentials
       iterating credentials
       exporting/importing credentials

Negotiable replay cache avoidance

Define interfaces for better error message reporting.

Specify an option for exporting partially-established security
      contexts and possibly a utility function for exporting security
      contexts in an encrypted form, as well as a corresponding utility
      function to decrypt and import such security context tokens.

Specify one-time password / two-factor authentication needs for SASL
      applications.  This could be achieved through an explicit new
      GSS-API/SASL mechanism (e.g.,
      http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00) or if
      the consensus is that due to usability reasons, it is preferable 
      to do OTP/2FA through an higher level protocol
      (Kerberos/OpenID/SAML/SAML20EC/EAP?) then prepare a document 
      explaining the usability problem and provide pointers for 
      implementers.

Kerberos Related
----------------

Prepare, review, and advance standards-track and informational
      specifications defining new authorization data types for carrying
      supplemental information about the client to which a Kerberos 
      ticket has been issued and/or restrictions on what the ticket can 
      be used for. To enhance this ongoing authorization data work, a 
      container format supporting the use cases of draft-ietf-krb-wg-pad 
      may be standardized.

Prepare a standards-track protocol to solve the use cases addressed
      by draft-hotz-kx509-01 including new support for digital 
      signatures.

Today Kerberos requires a replay cache to be used in AP exchanges in
      almost all cases.  Replay caches are quite complex to implement
      correctly, particularly in clustered systems. High-performance 
      replay caches are even more difficult to implement.  The WG will 
      pursue extensions to minimize the need for replay caching, 
      optimize replay caching, and/or elide the need for replay caching.

Prepare, review, and advance standards-track and informational
      specifications defining use of new cryptographic algorithms in the
      Kerberos protocol using the RFC3961 framework, on an ongoing 
      basis.  Cryptographic algorithms intended for standards track 
      status must be of good quality, have broad international support, 
      and fill a definite need.

Prepare, review, and advance standards-track and informational
      specifications of new pre-authentication types for the Kerberos
      protocol, on an ongoing basis.

Prepare, review, and advance standards track updates and extensions to 
      RFC4121, as needed and on an ongoing basis.

Milestones:
  Mar 2013 - draft-ietf-kitten-sasl-oauth to IESG
  Mar 2013 - draft-ietf-krb-wg-pkinit-alg-agility to IESG
  Apr 2013 - draft-ietf-kitten-sasl-saml-ec to IESG
  Apr 2013 - draft-ietf-krb-wg-iakerb to IESG
  May 2013 - draft-ietf-kitten-gssapi-extensions-iana to IESG
  May 2013 - draft-ietf-krb-wg-cammac to IESG
  Jun 2013 - draft-ietf-kitten-kerberos-iana-registries to IESG
  Jun 2013 - draft-ietf-krb-wg-pad to IESG
  Jul 2013 - Adopt work on one or more items for GSS-API cred management
  Jul 2013 - Adopt work on better error reporting in the GSS-API
  Aug 2013 - Adopt work on exporting partially-established GSS-API
contexts
  Aug 2013 - draft-ietf-krb-wg-ticket-extensions to IESG
  Sep 2013 - Adopt work on the GSS-API for replay cache avoidance


Ballot announcement