The IESG has approved the following document: - 'Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals' (draft-ietf-krb-wg-kerberos-referrals-15.txt) as Proposed Standard This document is the product of the Kerberos Working Group. The IESG contact persons are Stephen Farrell and Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-krb-wg-kerberos-referrals/ Technical Summary The memo documents a method for a Kerberos Key Distribution Center (KDC) to respond to client requests for Kerberos tickets when the client does not have detailed configuration information on the realms of users or services. The KDC will handle requests for principals in other realms by returning either a referral error or a cross-realm TGT to another realm on the referral path. The clients will use this referral information to reach the realm of the target principal and then receive the ticket. This memo also provides a mechanism for verifying that a request has not been tampered with in transit. Working Group Summary This document represents the consensus of the Kerberos Working Group. Having been under development for quite some time, it has a long and somewhat complex history and has gone through several changes in editorship. It has been discussed extensively and there has been ongoing support for the functionality added by this document. Over its life, this document has undergone a number of changes. Most recently, it has been reworked to take advantage of other work done in the working group since work on this document began, resulting in a considerably simpler document which is easier both to understand and to implement. Some features which were originally planned for this document or added during its development have been removed. In some cases, this is to better align with existing and planned implementations. In others, it is because the working group has not yet been able to produce satisfactory solutions to certain problems, and so has decided to defer work on those issues. Document Quality At least two major implementations support the Kerberos protocol extensions defined in this document. Personnel The Document Shepherd for this document is Jeffrey Hutzelman. The responsible Area Director is Stephen Farrell. RFC Editor Note (1) Please insert expansions for the following acronyms: - Abstract: TGT => Ticket Granting Ticket - Section 1, Paragraph 1: AS => Authentication Service - Section 1, Paragraph 1: TGS => Ticket Granting Service - Section 1, Paragraph 2: KDC => Key Distribution Center (2) In section 11, 2nd last para, last sentence: OLD: The value for this padata item should be empty. NEW: The padata item MUST be empty on sending and the contents of the padata item MUST be ignored on receiving (3) Section 6, in the ASN.1 fragment on page 9: OLD: login-aliases [0] SEQUENCE(1..MAX) OF PrincipalName, NEW: login-aliases [0] SEQUENCE (SIZE (1..MAX)) OF PrincipalName, (4) Section 11, 3rd para: OLD: The KDC response is extended NEW: The KDC response [RFC4120] is extended
