Skip to main content

Kerberos ticket extensions

Document Type Replaced Internet-Draft (individual)
Expired & archived
Author Love Astrand
Last updated 2008-12-05 (Latest revision 2008-09-14)
Replaced by draft-ietf-krb-wg-ticket-extensions
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-krb-wg-ticket-extensions
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The Kerberos protocol does not allow ticket extensions. This make it harder to deploy features like referrals and PKCROSS. Since the Kerberos protocol did not specified extensibility for the Ticket structure and the current implementations are aware of the contents of tickets, the extension protocol cannot simply extend the Ticket ASN.1 structure. Instead, the extension data needs to be hidden inside the ticket. This protocol defines two methods to add extend the tickets. The first method requires updated clients and is more in line with the future development of Kerberos. The second way does not require update client. To take advantage of this protocol the server (KDC or application server) need to update a well. The two methods are equivalent and there is a 1-1 mapping between them.


Love Astrand

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)