[674] in Kerberos
Solicitation for suggested protocol changes
daemon@TELECOM.MIT.EDU (John T Kohl)
Fri Mar 24 17:58:25 1989
From: John T Kohl <jtkohl@ATHENA.MIT.EDU>
To: Kerberos@ATHENA.MIT.EDU
Project Athena is preparing to upgrade the Kerberos PROTOCOL to clean it
up.
At the end of this message is a list of issues we are already aware of
and will consider for this revision. We would like to solicit
additional issues to be discussed for this protocol revision.
*** If you have any concerns which are not mentioned below ***
please send them to
krb-protocol@athena.mit.edu
[after 25 March]. Send mail to
kerberos-request@athena.mit.edu
to get added to krb-protocol. This list will be used for further
discussion of the proposed changes.
When new protocol concerns stop flowing in, we will compose a
DRAFT RFC as a strawman for the Version 5 protocol. This will be
distributed to krb-protocol for comments. After discussion and
consensus, the draft will be finalized and implementation will commence.
NOTE: At this point we are only asking for suggestions/requests for
PROTOCOL changes, NOT implementation changes. They will be dealt with
when implementation of the version 5 protocol begins.
John Kohl <jtkohl@ATHENA.MIT.EDU>
MIT Project Athena/Kerberos Development
for the entire Kerberos team
------ Known protocol issues ------
[sorry for the terse nature of this list, I am running short of time today]
name lengths should be bounded
specify character set for authentication names
Use net byte order
fix pcbc cipher block exchange problem in tickets (cksum, modified pcbc)
ticket lifetimes: (pick one or more)
start/end dates
inf. ticket lifetimes (maybe)
postdated tickets
ticket field ordering to (minimally) hinder cracking susceptibility
possibly remove host addresses
allow array of address type/value pairs to identify host
remove service authentication name from ticket, use cksum instead
merge principal/instance into one field
support multiple encryption types
uni-directional trust between realms (two keys)
null realm in ticket ==> local realm (save enc. space)
Use Internet time for time stamps
authentication forwarding (with appropriate restrictions) between hosts
