Skip to main content

Kerberos ticket extensions

Document Type Expired Internet-Draft (krb-wg WG)
Expired & archived
Author Love Astrand
Last updated 2008-11-18
Replaces draft-lha-krb-wg-ticket-extensions
RFC stream Internet Engineering Task Force (IETF)
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The Kerberos protocol does not allow ticket extensions. This make it harder to deploy features like PKCROSS. Since the Kerberos protocol did not specified extensibility for the Ticket structure and the current implementations are aware of the contents of tickets, the extension protocol cannot simply extend the Ticket ASN.1 structure. Instead, the extension data needs to be hidden inside the ticket. This protocol defines two methods to add extend the tickets. The first method requires updated clients and is more in line with the future development of Kerberos. The second way does not require update client. To take advantage of this protocol the server (KDC or application server) need to update a well. The two methods are equivalent and there is a 1-1 mapping between them.


Love Astrand

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)