headers
Leif Johansson | 3 Nov 2008 03:48
Picon
Picon
Gravatar

Re: functional division of KDC model attributes

On Thursday 31 July 2008 12:16:06 Tom Yu wrote:
> I believe existing KDC implementations use per-principal attributes
> for multiple purposes.  It would be useful to divide these by their
> function.

Since I couldn't figure out what do do about this thread about functional
division of attributes I have updated the draft (should apprear shortly)
to version 03 with most of the extra attributes suggested by Shawn.

Given that progress only seems to happen around WGLC I think we
should have another one of those until done :-)

	Cheers Leif


_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply | 0 comments |
headers
Internet-Drafts | 3 Nov 2008 04:00
Picon
Favicon

I-D Action:draft-ietf-krb-wg-kdc-model-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Kerberos Working Group of the IETF.

	Title           : An information model for Kerberos version 5
	Author(s)       : L. Johansson
	Filename        : draft-ietf-krb-wg-kdc-model-03.txt
	Pages           : 19
	Date            : 2008-11-02

This document describes an information model for Kerberos version 5
from the point of view of an administrative service.  There is no
standard for administrating a kerberos 5 KDC.  This document
describes the services exposed by an administrative interface to a
KDC.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kdc-model-03.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment (draft-ietf-krb-wg-kdc-model-03.txt): message/external-body, 70 bytes
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
(Continue reading)

Permalink | Reply | 0 comments |
headers
Internet-Drafts | 3 Nov 2008 09:15
Picon
Favicon

I-D Action:draft-ietf-krb-wg-iakerb-01.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Kerberos Working Group of the IETF.

	Title           : Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB)
	Author(s)       : L. Zhu, J. Altman
	Filename        : draft-ietf-krb-wg-iakerb-01.txt
	Pages           : 10
	Date            : 2008-11-03

This document defines extensions to the Kerberos protocol and the
GSS-API Kerberos mechanism that enable a GSS-API Kerberos client to
exchange messages with the KDC using the GSS-API acceptor as the
proxy, by encapsulating the Kerberos messages inside GSS-API tokens.
With these extensions a client can obtain Kerberos tickets for
services where the KDC is not accessible to the client, but is
accessible to the application server.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-iakerb-01.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment (draft-ietf-krb-wg-iakerb-01.txt): message/external-body, 70 bytes
_______________________________________________
(Continue reading)

Permalink | Reply | 0 comments |
headers
Internet-Drafts | 3 Nov 2008 09:30
Picon
Favicon

I-D Action:draft-ietf-krb-wg-kerberos-set-passwd-08.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Kerberos Working Group of the IETF.

	Title           : Kerberos Set/Change Key/Password Protocol Version 2
	Author(s)       : N. Williams
	Filename        : draft-ietf-krb-wg-kerberos-set-passwd-08.txt
	Pages           : 41
	Date            : 2008-11-03

This document specifies an extensible protocol for setting keys and
changing the passwords of Kerberos V principals.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-08.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment (draft-ietf-krb-wg-kerberos-set-passwd-08.txt): message/external-body, 70 bytes
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply | 0 comments |
headers
Internet-Drafts | 3 Nov 2008 10:45
Picon
Favicon

I-D Action:draft-ietf-krb-wg-gss-cb-hash-agility-05.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Kerberos Working Group of the IETF.

	Title           : Kerberos Version 5 GSS-API Channel Binding Hash Agility
	Author(s)       : S. Emery
	Filename        : draft-ietf-krb-wg-gss-cb-hash-agility-05.txt
	Pages           : 12
	Date            : 2008-11-03

Currently, channel bindings are implemented using a MD5 hash in the
Kerberos Version 5 Generic Security Services Application Programming
Interface (GSS-API) mechanism [RFC4121].  This document updates
RFC4121 to allow channel bindings using algorithms negotiated based
on Kerberos crypto framework as defined in RFC3961.  In addition,
because this update makes use of the last extensible field in the
Kerberos client-server exchange message, extensions are defined to
allow future protocol extensions.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-gss-cb-hash-agility-05.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment (draft-ietf-krb-wg-gss-cb-hash-agility-05.txt): message/external-body, 70 bytes
(Continue reading)






Permalink
| Reply
| 0 comments  
| 



  

  

  





headers


Jeffrey Hutzelman
 | 
3 Nov 2008 19:19






Picon

Favicon





Re: set-passwd issues


Last week I sent Nico a summary of issues previously raised on set-passwd 
and the resolutions that had been reached so far.  The original discussion 
took place on this list some months ago, though I don't think anyone other 
than Nico and I spoke up.

Over the weekend Nico submitted a new version of the document.  Below I 
quote and reply to his message to me indicating which of the issues raised 
he had addressed.

--On Monday, November 03, 2008 02:21:19 AM -0600 Nicolas Williams 
<Nicolas.Williams <at> sun.com> wrote:

>  5  CHECK   update RFC3066 ref -> RFC4646,4647; use matching from RFC4647\

Only partly; you updated the references but didn't replace the vague inline 
description of a matching algorithm with a requirement that the one defined 
in RFC4747 be used.

> 10  CHECK   what is 'languages' argument on change-pw?
> 11  CHECK   ditto for set-pw

I don't think so.  The bug I pointed out in the ASN.1 is fixed, but there's 
been no change to the descriptive text for these items, which still don't 
describe the languges argument in any detail.

> 16  CHECK   principalname should be a sequence?

Nope.  The text in question is still in -08, near the top of section 5:

   --

(Continue reading)






Permalink
| Reply
| 0 comments  
| 



  

  

  





headers


Jeffrey Hutzelman
 | 
5 Nov 2008 23:50






Picon

Favicon





Re: kerberos ticket extentions


--On Monday, September 29, 2008 09:28:24 AM +0200 Love Hörnquist Åstrand 
<lha <at> kth.se> wrote:

>
> 7 sep 2008 kl. 20.12 skrev Love Hörnquist Åstrand:
>
>> Since I'm already in a dream, I added the pretty version already
>> today.
>>
>> Will submit -02 when I get your feedback.
>
> Never got any feedback, so I submitted -02, please review.

I will review this, but haven't done so yet.  I would encourage others to 
do the same, particularly with an eye toward the question of whether we 
should adopt this as a working group item.

Among other things, we are chartered to...

	Prepare and advance a specification for an updated, backward-
	compatible version of the Kerberos version 5 protocol which
	supports non-ASCII principal and realm names, salt strings, and
	passwords; insures that those portions of the protocol which are
	not encrypted are nonetheless authenticated whenever possible; and
	enables future protocol revisions and extensions.

Love's document seems to be designed to "enable future protocol revisions 
and extensions", specifically in the form of ticket extensions, and so I 
think it falls within the scope of this item.  Ticket extensions are a 
problem we've worked on before, and this approach has been presented in a 

(Continue reading)






Permalink
| Reply
| 1 comment  
| 



  

  

  





headers


Larry Zhu
 | 
6 Nov 2008 10:06






Picon

Favicon





call for agenda: IETF73


If you need face-meeting time for krb-wg in IETF73, please send your request to Jeff and me.

We have uploaded the preliminary agenda at http://www.ietf.org/proceedings/08nov/agenda/krb-wg.txt

Comments are welcome.

--larry

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg







Permalink
| Reply
| 1 comment  
| 



  

  

  





headers


Love Hörnquist Åstrand
 | 
7 Nov 2008 00:36






Picon

Picon

Favicon





Re: kerberos ticket extentions



5 nov 2008 kl. 14:50 skrev Jeffrey Hutzelman:

> Before adopting this item, Larry and I would like to hear from the  
> working
> group on whether ticket extensions are still a form of extensibility  
> we
> want to have, and on whether the approach used in this document is  
> one we
> want to take.

This is the same way that kerberos extentions solve this, but makes it  
possible by scoping the problem so it can happen this year.

I would like to see this on the agenda and adopted and completed this  
year.

There should be no controversal stuff in here, and it is, I'll propose  
to just remove it.

Love

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg







Permalink
| Reply
| 0 comments  
| 



  

  

  





headers


Jeffrey Hutzelman
 | 
15 Nov 2008 00:27






Picon

Favicon





WG Last Call: draft-ietf-krb-wg-kdc-model-03.txt


As Leif noted, sometimes people seem not to bother reviewing things unless 
there is a last call.  Therefore, I'm starting a new one on the data model 
document.  Due to the IETF meeting week and the upcoming Thanksgiving 
holiday in the US, I'm extending the last call period to three weeks.  If 
anyone thinks that is not enough, please let me know.

This note announces the start of a three-week last call within the Kerberos
Working Group on whether to send the following document to the IESG:

Title:           An information model for Kerberos version 5
Filename:        draft-ietf-krb-wg-kdc-model-03.txt
Intended Status: Proposed Standard

   This document describes an information model for Kerberos version 5
   from the point of view of an administrative service.  There is no
   standard for administrating a kerberos 5 KDC.  This document
   describes the services exposed by an administrative interface to a
   KDC.

This last call will expire at 23:59 EDT on Dec 5, 2008

Please review this document and send any comments to the Kerberos Working
Group mailing list, <ietf-krb-wg <at> anl.gov>, by that date.  The file can be
obtained via

http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kdc-model-03.txt

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ <at> cmu.edu>
   Chair, IETF Kerberos Working Group
   Carnegie Mellon University - Pittsburgh, PA

(Continue reading)






Permalink
| Reply
| 3 comments  
| 



  

  

  

  


  





    



Gmane