[kitten] Protocol Action: 'Anonymity Support for Kerberos' to Proposed Standard (draft-ietf-kitten-rfc6112bis-03.txt)
The IESG <email@example.com> Mon, 05 December 2016 17:07 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C19C0129BB7; Mon, 5 Dec 2016 09:07:55 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
From: The IESG <firstname.lastname@example.org>
To: "IETF-Announce" <email@example.com>
Date: Mon, 05 Dec 2016 09:07:55 -0800
Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, The IESG <firstname.lastname@example.org>, email@example.com
Subject: [kitten] Protocol Action: 'Anonymity Support for Kerberos' to Proposed Standard (draft-ietf-kitten-rfc6112bis-03.txt)
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2016 17:07:56 -0000
The IESG has approved the following document: - 'Anonymity Support for Kerberos' (draft-ietf-kitten-rfc6112bis-03.txt) as Proposed Standard This document is the product of the Common Authentication Technology Next Generation Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc6112bis/ Technical Summary This document describes Kerberos extensions for client anonymity support. These extensions give Kerberos clients the ability to authenticate and securely communicate with a service, without revealing the client identity. Two methods are described; one that only reveals the clientâs identity to its own KDC, and another that utilizes anonymous PKINIT to hide the client identity completely. Working Group Summary There is consensus among the WG for this document, and as a âbisâ document all errata have been considered. Aside from a few editorial corrections, there are three primary changes to the specification. First, when using the anonymous PKINIT method, the ticket session key is derived using the KRB-FX-CF2 operation, which requires two input constants âpepper1â and âpepper2â. The âpepper2â constant was incorrect in RFC 6112 and has been chang ed to its correct value. Second, the need for setting the anonymous KDC flag in a anonymous TGS request changed from a MUST to a SHOULD. Third, a new paragraph has been added which clarifies a MITM scenario that is prevented by the anonymous PKINIT session-key derivation method. Document Quality This is request for publication of a Standards Track document to obsolete RFC 6112, which had technical errors that made the described extensions inoperable with existing implementations. Personnel Matt Rogers is the document shepherd. Stephen Farrell is the responsible Area Director.