A Pseudo-Random Function (PRF) for the Kerberos V Generic Security Service Application Program Interface (GSS-API) Mechanism
draft-ietf-kitten-krb5-gssapi-prf-04
Technical Summary
These documents define a Pseudo-Random Function (PRF) extension to
the Generic Security Service Application Programming Interface
(GSS-API) for keying application protocols given an established
GSS-API security context and provide an implementation of that
extension for the Kerberos V mechanism. The primary intended use
of this function is to key secure session layers that don't or
cannot use GSS-API per- message MIC (message integrity check) and
wrap tokens for session
Working Group Summary
The Kitten working group participants are solidly behind this
document.
There were two areas of contention during its development.
First, representatives of the Samba team desired that the PRF be
designed to be compatible with the key export methods implemented by
Microsoft for use with CIFS. The working group consensus was that
following Microsoft's direction would have compromised the security
and usefulness of the PRF functionality.
Second, there was a desire to include a Java Binding for the
prf() method. The Java Binding was removed from the document due to
both a technical disagreement within the working group related to how
it should be implemented as well as conflicts between IETF and Java
Community Process processes.
Protocol Quality
There are no shipping implementations of this extension although there
has been broad review and no concerns have been raised regarding the
ability to implement the interfaces defined.
Several vendors including MIT's Kerberos team, Heimdal and Sun
Microsystems have indicated a desire to implement the extension.
Ken Raeburn, Uri Blumenthal and Joe Salowey provided significant
review. This document has been reviewed for the IESG by Sam hartman.
Note to RFC Editor
In draft-ietf-kitten-krb5-gssapi-prf, replace the citation to
[rfc1964] with a citation to [cfx] and remove the reference entry for
[rfc1964]
Just before section 2, delete the paragraph beginning "mechanisms may
limit the output" and ending with "requested."
In draft-ietf-kitten-gssapi-prf, replace the reference to RFC 1750
with a reference to RFC 4086.