Skip to main content

A Pseudo-Random Function (PRF) for the Kerberos V Generic Security Service Application Program Interface (GSS-API) Mechanism
draft-ietf-kitten-rfc4402bis-02

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
Cc: kitten-chairs@ietf.org, draft-ietf-kitten-rfc4402bis@ietf.org, "Benjamin Kaduk" <kaduk@mit.edu>, kitten@ietf.org, kaduk@mit.edu, "The IESG" <iesg@ietf.org>, rfc-editor@rfc-editor.org, stephen.farrell@cs.tcd.ie
Subject: Protocol Action: 'A Pseudo-Random Function (PRF) for the Kerberos V Generic Security Service Application Program Interface (GSS-API) Mechanism' to Proposed Standard (draft-ietf-kitten-rfc4402bis-02.txt)

The IESG has approved the following document:
- 'A Pseudo-Random Function (PRF) for the Kerberos V Generic Security
   Service Application Program Interface (GSS-API) Mechanism'
  (draft-ietf-kitten-rfc4402bis-02.txt) as Proposed Standard

This document is the product of the Common Authentication Technology Next
Generation Working Group.

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc4402bis/


Ballot Text

Technical Summary

   This document defines the Pseudo-Random Function (PRF) for the
   Kerberos V mechanism for the Generic Security Service Application
   Program Interface (GSS-API), based on the PRF defined for the
   Kerberos V cryptographic framework, for keying application protocols
   given an established Kerberos V GSS-API security context.

   This document obsoletes RFC 4402 and reclassifies that document as
   historic.  RFC 4402 starts the PRF+ counter at 1, however a number of
   implementations starts the counter at 0.  As a result, the original
   specification would not be interoperable with existing
   implementations.

Working Group Summary

This document is necessary because implementors of RFC 4402 erred
when implementing the PRF+ construct, starting the counter variable
at zero instead of one.  The error was present in multiple releases
of a shipping implementation when a second implementor discovered
the error in interoperability testing; that second implementor also
started the counter variable at zero for compatibility.  This document
serves to update RFC 4402 and reflect the implementation reality
that is deployed and functioning interoperably.  It is being published
as a Standards Track document to match RFC 4402 which it replaces,
as is consistent with most work on Kerberos in the IETF.

Document Quality


There is strong consensus for this document, which only differs from
RFC 4402 in the change of the initial value of the counter variable
and the removal of an unneeded and confusing paragraph from the
security considerations section.  It also adds test vectors, which
have been verified by two implementations (MIT and Heimdal Kerberos).
The WGLC period was part of a combined WGLC for three "bis" documents,
over a period of four weeks.  Most of the prominent WG contributors
reviewed the document, and no substantive issues were found (though
a couple of regressions from RFC 4402 were noted and fixed).

Personnel


Benjamin Kaduk is the document shepherd.  Stephen Farrell is the
responsible Area Director.

RFC Editor Note