Technical Summary
This document describes a new "pre-authentication" protocol for Kerberos
V5 [RFC4120], one that uses a zero-knowledge password proof for
authenticating a client principal to a Kerberos Authentication Server
(AS), part of the Kerberos key distribution center (KDC). Besides
supporting the use of simple passwords, this method also supports second
factors.
Working Group Summary
The KITTEN WG mailing list has had a number of threads on the topic of
Simple Password Authenticate Key Exchange (SPAKE) for Kerberos, and four
on this particular Internet-Draft.
It was clear that this document is ready for advancement. Some participants
have suggested additional features, but there is consensus that these can be
added as extensions to this protocol in future updates (the protocol is extensible),
or if need be as a new protocol.
Document Quality
Note that this documents implements/overlaps largely with what is now RFC 9382, but
the WG decided to strip mention of it and rely on the original paper directly, since
the path of that document had diverged somewhat from what was needed for this one.
Personnel
Document Shepherd: Nico Williams
Responsible AD was Ben Kaduk (now a chair of kitten) and is now Paul Wouters.