Common Authentication Technology Next Generation (kitten) --------------------------------------------------------- Charter Last Modified: 2011-12-09 Current Status: Active Working Group Chair(s): Shawn Emery Tom Yu Alexey Melnikov Security Area Director(s): Stephen Farrell Sean Turner Security Area Advisor: Stephen Farrell Mailing Lists: General Discussion:kitten@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/kitten Archive: http://www.ietf.org/mail-archive/web/kitten/current/maillist.html Description of Working Group: The Generic Security Services (GSS) API and Simple Authentication and Security Layer (SASL) provide various applications with a security framework for secure network communication. The purpose of the Common Authentication Technology Next Generation (Kitten) working group (WG) is to develop extensions/improvements to the GSS-API, shepherd specific GSS-API security mechanisms, and provide guidance for any new SASL- related submissions. This working is chartered to specify the following extensions and improvements (draft-yu-kitten-api-wishlist-00) to the GSS-API: * Provide new interfaces for credential management, which include the following: initializing credentials iterating credentials exporting/importing credentials * Specify interface for asynchronous calls. * Negotiable replay cache avoidance * Define interfaces for better error message reporting. * Provide a more programmer friendly GSS-API for application developers. This could include reducing the number of interface parameters, for example, by eliminating parameters which are commonly used with the default values. * Specify an option for exporting partially-established security contexts and possibly a utility function for exporting security contexts in an encrypted form, as well as a corresponding utility function to decrypt and import such security context tokens. This WG is also chartered to finalize proposed SASL mechanisms as GSS-API mechanisms (based on RFC 5801): * A SASL Mechanism for OpenID draft-ietf-kitten-sasl-openid * SASL Mechanisms for SAML: draft-ietf-kitten-sasl-saml draft-cantor-ietf-kitten-saml-ec The SAML mechanism drafts will include applicability statement text to highlight when each is appropriate for use. * A SASL Mechanism for OAuth draft-mills-kitten-sasl-oauth The transition from SASL to GSS-API mechanisms will allow a greater set of applications to utilize said mechanisms with SASL implementations that support the use of GSS-API mechanisms in SASL (RFC 5801). This WG should review proposals for new SASL and GSS-API mechanisms, but may take on work on such mechanisms only through a revision of this charter. The WG should also review non-mechanism proposals related to SASL and the GSS-API. However, work that adds SASL or GSS-API support in application protocols is out of scope and should be handled by the corresponding application's WG. Deliverables: * GSS-API: initializing credentials * GSS-API: iterating credentials * GSS-API: exporting/importing credentials * GSS-API: specification for asynchronous calls * GSS-API: interfaces/improvements for better error message reporting * GSS-API: programmer friendly interfaces * SASL: SASL mechanism for OpenID * SASL: SASL mechanisms for SAML * SASL: SASL mechanism for OAuth * GSS-API: publish draft-ietf-kitten-gssapi-extensions-iana Goals and Milestones: Jul 2011 Submit SASL OpenID mechanism to the IESG as Proposed Standard Jul 2011 Submit naming-exts to the IESG as Proposed Standard Jul 2011 WGLC on gssapi-extensions-iana Aug 2011 Submit SASL SAML mechanisms to the IESG as Proposed Standard Sep 2011 Submit gssapi-extensions-iana to the IESG as Proposed Standard Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- May 2005 Dec 2011 GSS-API Naming Extensions Aug 2010 Nov 2011 A SASL & GSS-API Mechanism for OpenID Sep 2010 Oct 2011 A SASL and GSS-API Mechanism for SAML Aug 2011 Aug 2011 SAML Enhanced Client SASL and GSS-API Mechanisms Nov 2011 Nov 2011 A SASL and GSS-API Mechanism for OAuth Request For Comments: RFC Stat Published Title ------- -- ----------- ------------------------------------ RFC4178Standard Oct 2005 The Simple and Protected Generic Security ServiceApplication Program Interface (GSS-API) Negotiation Mechanism RFC4401Standard Feb 2006 A Pseudo-Random Function (PRF) API Extension for the Generic Security Service Application Program Interface (GSS-API) RFC4402Standard Feb 2006 A Pseudo-Random Function (PRF) for the Kerberos V Generic Security Service Application Program Interface (GSS-API) Mechanism RFC4768 I Dec 2006 Desired Enhancements to Generic Security Services Application Program Interface (GSS-API) Version 3 Naming RFC5178 PS May 2008 Generic Security Service Application Program Interface (GSS-API) Internationalization and Domain-Based Service Names and Name Type RFC5179 PS May 2008 Generic Security Service Application Program Interface (GSS-API) Domain-Based Service Names Mapping for the Kerberos V GSS Mechanism RFC5554 PS May 2009 Clarifications and Extensions to the Generic Security Service Application Program Interface (GSS-API) for the Use of Channel Bindings RFC5588 PS Jul 2009 Generic Security Service Application Program Interface (GSS-API) Extension for Storing Delegated Credentials RFC5587 PS Jul 2009 Extended Generic Security Service Mechanism Inquiry APIs RFC5653 PS Aug 2009 Generic Security Service API Version 2: Java Bindings Update RFC6331 I Jul 2011 Moving DIGEST-MD5 to Historic