The IESG has approved the following document:
- 'A Generalized Framework for Kerberos Pre-Authentication '
<draft-ietf-krb-wg-preauth-framework-17.txt> as a Proposed Standard
This document is the product of the Kerberos Working Group.
The IESG contact persons are Tim Polk and Sean Turner.
A URL of this Internet-Draft is:
Kerberos is a protocol for verifying the identity of principals
(e.g., a workstation user or a network server) on an open network.
The Kerberos protocol provides a mechanism called pre-authentication
for proving the identity of a principal and for better protecting the
long-term secrets of the principal.
This document describes a model for Kerberos pre-authentication
mechanisms. The model describes what state in the Kerberos request a
pre-authentication mechanism is likely to change. It also describes
how multiple pre-authentication mechanisms used in the same request
This document also provides common tools needed by multiple pre-
authentication mechanisms. One of these tools is a secure channel
between the client and the KDC with a reply key strengthening
mechanism; this secure channel can be used to protect the
authentication exchange thus eliminate offline dictionary attacks.
With these tools, it is relatively straightforward to chain multiple
authentication mechanisms, utilize a different key management system,
or support a new key agreement algorithm.
Working Group Summary
This document represents the consensus of the Kerberos Working Group.
Multiple vendors have indicated that they plan to implement and ship
the extensions described in this document or have already begun to
The Document Shepherd for this document is Jeffrey Hutzelman.
The responsible Area Director is Tim Polk.
IETF-Announce mailing list