Last Modified: 2005-07-01
Done | First Meeting | |
Mar 05 | First drafts of either 'Clarifications to GSSAPIv2' as Informational ORsubmit 'Generic Security Service Application Program Interface Version 2, Update 2' and 'Generic Security Service API Version 2, Update 2 : C-bindings' to the IESG as Proposed Standard | |
Jul 05 | Submit either 'Clarifications to GSSAPIv2' as Informational OR submit 'Generic Security Service Application Program Interface Version 2, Update 2' and 'Generic Security Service API Version 2, Update 2 : C-bindings' to the IESG as Proposed Standard | |
Jul 05 | Submit 'The Channel Conjunction Mechanism (CCM) for the GSSAPI' to the IESG as Proposed Standard | |
Jul 05 | Submit 'On the Use of Channel Bindings to Secure Channels' to the IESG as Proposed Standard | |
Jul 05 | Submit 'The Simple and Protected GSS-API Negotiation Mechanism (Revised)' to the IESG as Proposed Standard | |
Nov 05 | Submit 'GSSAPI Mechanisms without a Unique Canonical Name' to the IESG as Proposed Standard | |
Jul 06 | Submit 'Generic Security Service Application Program Interface Version 3' to the IESG as Proposed Standard | |
Jul 06 | Submit 'Generic Security Service API Version 3 : C-bindings' to the IESG as Proposed Standard | |
Jul 06 | Submit 'Generic Security Service API Version 3 : Java and C# bindings' to the IESG as Proposed Standard | |
Nov 06 | Charter Review |
The Kitten working group met at IETF63 in one of the new style rooms. We really lucked out because the room contained at least three mobile microphones that were handed out to the audience. It enabled realtime discussions in a much more flexible format. We would like to see more of this at future IETF meetings. More mobile mics the better. Summarized document status: * PRF API extension for GSS draft -05 submitted Addresses issues raised during the most recent WGLC. Will be submitted for a short WGLC next week * PRF API for Kerberos 5 GSS draft -04 passed WGLC Being held until the generic PRF extension document passes WGLC * Corrections and Updates of GSS-API Java Bindings The existing draft contains a list of changes from RFC 2853. These changes were the result of the Java Community Process making changes after the RFC was finished. The JCP is what was implemented. The IETF is effectively rubber stamping these changes as no one implements the RFC. It has been made clear to Sun that for current work the JCP cannot make changes after the documents pass last call. A new draft will be submitted shortly that is 2853 with all of the changes applied. * C# Bindings Since IETF62 consensus was reached to split the C# and Java Bindings into separate documents. A new draft providing a full C# binding based upon RFC 2853 will be published next week. * Desired Enhancements to GSS Naming An informational draft providing scope for the naming problems the working group will solve. All sections but number 7 appear to be ready for WGLC. The chair wishes to expand the description of the credential selection problem described by section 7 before it moves forward. * GSS-API Naming Extensions Draft -00 submitted in May but has not received discussion on the mailing list. * Clarifications to GSSAPI v2 Update 1 No draft yet published and the milestone has been missed Previous volunteers to work on this draft have withdrawn. Technical Discussions: GSS-API Naming Extensions draft-ietf-kitten-gssapi-naming-exts-00.txt The working group reviewed the contents of the draft for the purpose of boot strapping discussion as no one had read it before the meeting. The draft has a summary of the problems caused by the limited naming capabilities of GSS import and export name when attempting to use the authenticated name for the purpose of constructing ACLs. This is followed by five sections describing how to extend GSS names with name attributes including sections on how to use pkix attributes and kerberos authorization data. The details are very incomplete and need significant review. We especially need volunteers from the pkix community to assist in this effort. The document describes a proposed abstract api plus C and java language bindings. There is also an IANA considerations. * use of names on ACLs * the need for including critical bit on attributes. This is expected to be easy for PKIX but it is not authenticated. * corrections to the use of kerberos cross realm transit paths. cross realm transit path lists are not ordered. they only provide a list of the realms that were crossed. * the current draft's description of how to reference x.509 trust paths is very incomplete. The full path from the trust anchor must be specified. * Inclusion of PKIX proxy certificates must be specified * Must ensure that the EKU OID is used as part of PKIX names * There is concern that naming is an extremely broad and highly complex problem. Can it be done in a simple generic manner? * The inquire function scares many people. * name attributes are being treated as tagged blobs. This results in problems both with how to represent dependencies between blobs and how to handle in a generic manner how to extract sub-parts of a blob. * there is a concern with how we can successfully compare names when there are arbitrary sets of name attributes. What is the canonical name? Part of the justification for this work is because there is not always a canonical name that is static for all time. * there needs to be a means of limiting the credentials provided to an application based upon the needs of the application and the qualities the credentials support. * Denis Pikas wrote for CAT a draft to describe how to represent group membership. It can be found via google. The wg should review: draft-ietf-cat-xgssapi-acc-cntrl-03.txt * Review closely the saml attribute work * There is a desire to support negative attributes. In order to do so there must be some means of indicating that for a given set of positive and negative ACLs that all of the negative ACLs have been included and none have been removed. The wg ran out of time. Clearly more discussion is required on the list. Please read the draft. Technical Discussion: Moving RFC2743 and RFC2744 to Draft Our AD, Sam Hartman, requested that the WG consider the steps necessary to move RFCs 2743 and 2744 from Proposed to Draft. The wg discussed the scope of interoperability testing at both the wire and language layers. The wg intends to design a test matrix that is rough grained across implementation of features. Nico Williams will ask for assistance within Sun Microsystems for assistance to the chair in putting together the test matrix. The WG will look at gssmonger as a source of tests. Technical Discussion: Review ML archives to find content for 'Clarifications to GSSAPIv2' The wg ran out of time to discuss this topic. The chair is going to ask specific people for assistance with this task. If this milestone is not being bet the wg will have to stop working on other efforts people care a great deal about. |