2.7.8 Kerberos (krb-wg)

NOTE: This charter is a snapshot of the 67th IETF Meeting in San Diego, California USA. It may now be out-of-date.
In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:

       Additional KRB-WG Web Page

Last Modified: 2006-10-17


Jeffrey Hutzelman <jhutz@cmu.edu>

Security Area Director(s):

Russ Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>

Security Area Advisor:

Sam Hartman <hartmans-ietf@mit.edu>

Mailing Lists:

General Discussion: ietf-krb-wg@anl.gov
To Subscribe: majordomo@anl.gov
In Body: subscribe ietf-krb-wg your_email_address
Archive: ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued over the years, and
interoperability has been problematic.  A number of draft proposals
have been issued concerning aspects of new or extended functionality.

The group will strive to improve the interoperability of these
systems while improving security.

Specifically, the Working Group will:

* Clarify and amplify the Kerberos specification (RFC 1510) to make
  interoperability problems encountered in the past that occurred
  because of unclear specifications do not happen again.  The output of
  this process should be suitable for Draft Standard status.

* Select from existing proposals on new or extended functionality those
  that will add significant value while improving interoperability and
  security, and publish these as one or more Proposed Standards.

Goals and Milestones:

Done  First meeting
Done  Submit the Kerberos Extensions document to the IESG for consideration as a Proposed standard.
Done  Complete first draft of Pre-auth Framework
Done  Complete first draft of Extensions
Done  Submit K5-GSS-V2 document to IESG for consideration as a Proposed Standard
Done  Last Call on OCSP for PKINIT
Done  Consensus on direction for Change/Set password
Done  Enctype Negotiation to IESG
Done  Last Call on PKINIT ECC
Mar 2006  Review milestones
Mar 2006  Issues identified for Anonymous
Jun 2006  Major issues resolved on Extensions
Aug 2006  Last Call on Extensions
Aug 2006  Last Call on Referrals
Sep 2006  Last Call on Change/Set password


  • draft-ietf-krb-wg-kerberos-referrals-08.txt
  • draft-ietf-krb-wg-hw-auth-04.txt
  • draft-ietf-krb-wg-kerberos-set-passwd-05.txt
  • draft-ietf-krb-wg-preauth-framework-04.txt
  • draft-ietf-krb-wg-rfc1510ter-03.txt
  • draft-zhu-pkinit-ecc-02.txt
  • draft-josefsson-krb-tcp-expansion-02.txt
  • draft-ietf-krb-wg-tcp-expansion-01.txt
  • draft-ietf-krb-wg-anon-02.txt
  • draft-ietf-krb-wg-naming-01.txt
  • draft-ietf-krb-wg-pkinit-alg-agility-01.txt

    Request For Comments:

    RFC3961 Standard Encryption and Checksum Specifications for Kerberos 5
    RFC3962 Standard AES Encryption for Kerberos 5
    RFC4120 Standard The Kerberos Network Authentication Service (V5)
    RFC4121 Standard The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
    RFC4537 PS Kerberos Cryptosystem Negotiation Extension
    RFC4556 PS Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
    RFC4557 PS Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)

    Meeting Minutes


    Charter Proposal
    Update on Kerberos Extensibility
    Preauth Framework
    Kerberos for Web Services