Protocol Action: 'Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals' to Proposed Standard (draft-ietf-krb-wg-kerberos-referrals-15.txt)

The IESG <> Mon, 01 October 2012 18:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B0EE821F892D for <>; Mon, 1 Oct 2012 11:52:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZDwjQ1WvKs7J; Mon, 1 Oct 2012 11:52:01 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id A4B5221F8930; Mon, 1 Oct 2012 11:52:00 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <>
To: IETF-Announce <>
Subject: Protocol Action: 'Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals' to Proposed Standard (draft-ietf-krb-wg-kerberos-referrals-15.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 4.34
Message-ID: <>
Date: Mon, 01 Oct 2012 11:52:00 -0700
Cc: krb-wg mailing list <>, krb-wg chair <>, RFC Editor <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Oct 2012 18:52:01 -0000

The IESG has approved the following document:
- 'Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm
  (draft-ietf-krb-wg-kerberos-referrals-15.txt) as Proposed Standard

This document is the product of the Kerberos Working Group.

The IESG contact persons are Stephen Farrell and Sean Turner.

A URL of this Internet Draft is:

Technical Summary

  The memo documents a method for a Kerberos Key Distribution Center
  (KDC) to respond to client requests for Kerberos tickets when the
  client does not have detailed configuration information on the realms
  of users or services.  The KDC will handle requests for principals in
  other realms by returning either a referral error or a cross-realm
  TGT to another realm on the referral path.  The clients will use this
  referral information to reach the realm of the target principal and
  then receive the ticket.  This memo also provides a mechanism for
  verifying that a request has not been tampered with in transit.

Working Group Summary

  This document represents the consensus of the Kerberos Working Group.
  Having been under development for quite some time, it has a long
  and somewhat complex history and has gone through several changes in
  editorship.  It has been discussed extensively and there has been
  ongoing support for the functionality added by this document.

  Over its life, this document has undergone a number of changes.
  Most recently, it has been reworked to take advantage of other
  work done in the working group since work on this document began,
  resulting in a considerably simpler document which is easier both
  to understand and to implement.
  Some features which were originally planned for this document or
  added during its development have been removed.  In some cases,
  this is to better align with existing and planned implementations.
  In others, it is because the working group has not yet been able
  to produce satisfactory solutions to certain problems, and so has
  decided to defer work on those issues.

Document Quality

  At least two major implementations support the Kerberos protocol
  extensions defined in this document.


  The Document Shepherd for this document is Jeffrey Hutzelman.
  The responsible Area Director is Stephen Farrell.

RFC Editor Note

(1)  Please insert expansions for the following acronyms:
  - Abstract:  TGT => Ticket Granting Ticket
  - Section 1, Paragraph 1: AS => Authentication Service
  - Section 1, Paragraph 1: TGS => Ticket Granting Service
  - Section 1, Paragraph 2: KDC => Key Distribution Center 

(2) In section 11, 2nd last para, last sentence:


   The value for
   this padata item should be empty.


   The padata item MUST be empty on sending
   and the contents of the padata item MUST be ignored on receiving

(3) Section 6, in the ASN.1 fragment on page 9:


     login-aliases  [0] SEQUENCE(1..MAX) OF PrincipalName,

     login-aliases  [0] SEQUENCE (SIZE (1..MAX)) OF PrincipalName,

(4) Section 11, 3rd para:


   The KDC response is extended


   The KDC response [RFC4120] is extended