The IESG has approved the following document: - 'A Generalized Framework for Kerberos Pre-Authentication ' <draft-ietf-krb-wg-preauth-framework-17.txt> as a Proposed Standard This document is the product of the Kerberos Working Group. The IESG contact persons are Tim Polk and Sean Turner. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-17.txt Technical Summary Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a mechanism called pre-authentication for proving the identity of a principal and for better protecting the long-term secrets of the principal. This document describes a model for Kerberos pre-authentication mechanisms. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre- authentication mechanisms. One of these tools is a secure channel between the client and the KDC with a reply key strengthening mechanism; this secure channel can be used to protect the authentication exchange thus eliminate offline dictionary attacks. With these tools, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm. Working Group Summary This document represents the consensus of the Kerberos Working Group. Document Quality Multiple vendors have indicated that they plan to implement and ship the extensions described in this document or have already begun to do so. Personnel The Document Shepherd for this document is Jeffrey Hutzelman. The responsible Area Director is Tim Polk. _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce
