IETF Logo Mail Archive

[kitten] Kitten and Krb-wg Merger

Shawn M Emery <shawn.emery@oracle.com> Mon, 05 November 2012 03:34 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1722221F87B8 for <kitten@ietfa.amsl.com>; Sun, 4 Nov 2012 19:34:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-4.001, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wWCWbramDlF for <kitten@ietfa.amsl.com>; Sun, 4 Nov 2012 19:34:49 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 788BA21F886E for <kitten@ietf.org>; Sun, 4 Nov 2012 19:34:49 -0800 (PST)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id qA53Ymx1027238 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <kitten@ietf.org>; Mon, 5 Nov 2012 03:34:48 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id qA53YlOX010555 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <kitten@ietf.org>; Mon, 5 Nov 2012 03:34:47 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id qA53YlAh017429 for <kitten@ietf.org>; Sun, 4 Nov 2012 21:34:47 -0600
Received: from shawn-emerys-computer.local (/74.176.163.140) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 04 Nov 2012 19:34:46 -0800
Message-ID: <509733D9.7090700@oracle.com>
Date: Sun, 04 Nov 2012 20:34:49 -0700
From: Shawn M Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: kitten@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Subject: [kitten] Kitten and Krb-wg Merger
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 03:34:50 -0000

In light of the pending merger between the kitten and Kerberos WGs we 
have compiled a list of possible work items to start the 
merger/recharter discussions during the combined session on Tuesday.  We 
are looking for feedback on this and other items that should be 
considered for the new charter.

GSS-API related
-------------
  * Provide new interfaces for credential management, which include the
     following:
        initializing credentials
        iterating credentials
        exporting/importing credentials

     * Specify interface for asynchronous calls.

     * Negotiable replay cache avoidance

     * Define interfaces for better error message reporting.

     * Provide a more programmer friendly GSS-API for application 
developers.
       This could include reducing the number of interface parameters, for
       example, by eliminating parameters which are commonly used with the
       default values.

     * Specify an option for exporting partially-established security
       contexts and possibly a utility function for exporting security
       contexts in an encrypted form, as well as a corresponding utility
       function to decrypt and import such security context tokens.

Kerberos related
--------------
     * Prepare and advance one or more standards-track specifications which
       update the Kerberos version 5 protocol to support non-ASCII principal
       and realm names, salt strings, and passwords, and localized error
       reporting.  Maximizing backward compatibility is strongly desired.

     * Prepare and advance one or more standards-track specifications which
       update the Kerberos version 5 protocol in a backward-compatible way
       to support extending the unencrypted portion of a Kerberos ticket.

     * Prepare, review, and advance standards-track and informational
       specifications defining new authorization data types for carrying
       supplemental information about the client to which a Kerberos ticket
       has been issued and/or restrictions on what the ticket can be used
       for. To enhance this ongoing authorization data work, a container
       format supporting the use cases of draft-sorce-krbwg-general-pac-01
       may be standardized.

     * Prepare a standards-track protocol to solve the use cases addressed
       by draft-hotz-kx509-01 including new support for digital signatures.

     * Prepare and advance one or more standards-track specifications
       which define mechanisms for establishing keys and configuration
       information used during authentication between Kerberos realms.

     * Prepare and advance a standards-track specification defining a
       format for the transport of Kerberos credentials within other
       protocols.

     * Today Kerberos requires a replay cache to be used in AP exchanges in
       almost all cases.  Replay caches are quite complex to implement
       correctly, particularly in clustered systems. High-performance replay
       caches are even more difficult to implement.  The WG will pursue
       extensions to minimize the need for replay caching, optimize replay
       caching, and/or elide the need for replay caching.

     * Produce an LDAP schema for management of the KDC's database.

Shawn.
kitten and krb-wg co-chair
--

v2.23.0 | Report a Bug | By Email