* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Kitten Status Pages

Common Authentication Technology Next Generation (Active WG)
Sec Area: Roman Danyliw, Benjamin Kaduk | 2004-Nov-03 —  

2021-03-22 charter

Common Authentication Technology Next Generation (kitten)


 Current Status: Active

     Alexey Melnikov <alexey.melnikov@isode.com>
     Robbie Harwood <rharwood@redhat.com>

 Security Area Directors:
     Roman Danyliw <rdd@cert.org>
     Benjamin Kaduk <kaduk@mit.edu>

 Security Area Advisor:
     Benjamin Kaduk <kaduk@mit.edu>

 Mailing Lists:
     General Discussion: kitten@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/kitten
     Archive:            https://mailarchive.ietf.org/arch/browse/kitten/

Description of Working Group:

  The purpose of the Common Authentication Technology Next Generation
  (Kitten) working group (WG) is to develop extensions/improvements to the
  GSS-API and to the Kerberos authentication system, shepherd specific
  GSS-API security mechanisms, and provide guidance for any new
  SASL-related submissions.

  This charter combines the work of the Kerberos WG and the kitten WG
  (under the aegis of the kitten WG).  In places, it identifies which WG
  was previously home for that work.

  The working group will develop extensions and/or updates to the GSS-API,
  working on specific items regarding credential management, replay cache
  avoidance, error reporting, and supporting stateless and/or distributed

  The working group will also maintain and improve upon the Kerberos
  protocol, working on items regarding internationalization considering
  alignment with the precis work, new initial authentication types,
  authorization framework/data, replay cache avoidance, cryptography
  advances, interop with 3rd party authentication, and identity

  In detail, both existing and new work items include:

  Existing Working Group Items
  SASL Mechanism for OAuth (draft-ietf-kitten-sasl-oauth)
  SASL Mechansim for SAML-EC (draft-ietf-kitten-sasl-saml-ec)
  GSS-API IANA Registry (draft-ietf-kitten-gssapi-extensions-iana)
  KDC Model (draft-ietf-krb-wg-kdc-model)
  PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility)
  Kerberos IANA Registry (draft-ietf-kitten-kerberos-iana-registries)
  Initial and Pass Through Authentication in Kerberos 5 (draft-ietf-krb-wg-iakerb)
  Unencrypted Portion of Ticket Extensions (draft-ietf-krb-wg-ticket-extensions)

  GSS-API Related
  Provide new interfaces for credential management, which include the
         initializing credentials
         iterating credentials
         exporting/importing credentials

  Negotiable replay cache avoidance

  Define interfaces for better error message reporting.

  Specify an option for exporting partially-established security
        contexts and possibly a utility function for exporting security
        contexts in an encrypted form, as well as a corresponding utility
        function to decrypt and import such security context tokens.

  Specify one-time password / two-factor authentication needs for SASL
        applications.  This could be achieved through an explicit new
        GSS-API/SASL mechanism (e.g.,
        http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00) or if
        the consensus is that due to usability reasons, it is preferable
        to do OTP/2FA through an higher level protocol
        (Kerberos/OpenID/SAML/SAML20EC/EAP?) then prepare a document
        explaining the usability problem and provide pointers for

  Kerberos Related

  Prepare, review, and advance standards-track and informational
        specifications defining new authorization data types for carrying
        supplemental information about the client to which a Kerberos
        ticket has been issued and/or restrictions on what the ticket can
        be used for. To enhance this ongoing authorization data work, a
        container format supporting the use cases of draft-ietf-krb-wg-pad
        may be standardized.

  Prepare a standards-track protocol to solve the use cases addressed
        by draft-hotz-kx509-01 including new support for digital

  Today Kerberos requires a replay cache to be used in AP exchanges in
        almost all cases.  Replay caches are quite complex to implement
        correctly, particularly in clustered systems. High-performance
        replay caches are even more difficult to implement.  The WG will
        pursue extensions to minimize the need for replay caching,
        optimize replay caching, and/or elide the need for replay caching.

  Prepare, review, and advance standards-track and informational
        specifications defining use of new cryptographic algorithms in the
        Kerberos protocol using the RFC3961 framework, on an ongoing
        basis.  Cryptographic algorithms intended for standards track
        status must be of good quality, have broad international support,
        and fill a definite need.

  Prepare, review, and advance standards-track and informational
        specifications of new pre-authentication types for the Kerberos
        protocol, on an ongoing basis.

  Prepare, review, and advance standards track updates and extensions to
        RFC4121, as needed and on an ongoing basis.

Goals and Milestones:
  Apr 2013 - draft-ietf-kitten-sasl-saml-ec to IESG
  May 2013 - draft-ietf-kitten-gssapi-extensions-iana to IESG
  Jun 2013 - draft-ietf-kitten-kerberos-iana-registries to IESG
  Jun 2013 - draft-ietf-krb-wg-pad to IESG
  Jul 2013 - Adopt work on one or more items for GSS-API cred management
  Jul 2013 - Adopt work on better error reporting in the GSS-API
  Aug 2013 - Adopt work on exporting partially-established GSS-API contexts
  Aug 2013 - draft-ietf-krb-wg-ticket-extensions to IESG
  Sep 2013 - Adopt work on the GSS-API for replay cache avoidance
  Done     - draft-ietf-kitten-sasl-oauth to IESG
  Done     - draft-ietf-krb-wg-cammac to IESG
  Done     - draft-ietf-krb-wg-pkinit-alg-agility to IESG

All charter page changes, including changes to draft-list, rfc-list and milestones:

Generated from PyHt script /wg/kitten/charters.pyht Latest update: 24 Oct 2012 16:51 GMT -