Kerberos for Wireless Authentication
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Jun 6 12:46:39 EDT 2005
On Monday, June 06, 2005 09:59:56 AM -0500 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Mon, Jun 06, 2005 at 09:27:51AM -0500, Matt Crawford wrote:
>> >> I really think that working on this axis [IAKERB/Wireless Auth.]
>> >> should be amongst the milestones of kerberos wg.
>>
>> Work area for energetic contributors, yes. Milestones of the group,
>> no. IMO, of course.
>
> Such a mechanism could be pursued outside the KRB WG, either as an
> individual submission or in another WG (AAA?), and it could receive
> expert review from Kerberos V experts when and as needed.
IAKERB or something like it is clearly within the scope of this working
group; it was an "existing proposal" at the time the WG was formed. There
is no milestone because the group decided to drop the proposal, for various
reasons. As others have noted, one of the main reasons why no work has
been done recently in that space is because potential contributors are
currently involved in other work, and only have so much time.
If there are folks that want to reopen IAKERB, are willing to spend time on
it, and can convince the WG that this is the right approach, then I see no
problem with carrying on such work here. Of course, I would expect any
GSSAPI mechanism work to be reviewed in KITTEN as well. I think it would
be ill-advised to pursue any such work as an indiviudal without input from
one or both of these working groups.
A while back there was a proposal for a Kerberos EAP method which would
have supported tunneling of Kerberos messages in a similar fashion to EAP,
allowing a client to communicate with its KDC to obtain credentials needed
for EAP authentication. This looked somewhat promising, and possibly a
better fit for network access applications than IAKERB, but to my knowledge
no work has been done on this in a while.
It's not clear to me that work on an EAP method is in scope for this WG,
though I'd be inclined towards "yes" by analogy to IAKERB. Perhaps Sam
would be willing to comment on this point. It clearly is not in scope for
the EAP WG, whose charter does not currently include standardizing new EAP
methods. However, I would expect any actual work in this area to be
reviewed in both WG's, even if pursued as individual work. Again, I think
it would be ill-advised to pursue such work without input from members of
one or both WG's.
I do not believe that either type of mechanism is within the scope of the
AAA working group, though a Diameter extension to tunnel krb5 messages
between Diameter servers likely would be. Those determinations are
ultimately up to the AAA chairs and the OPS AD's.
An extension to the Kerberos protocol such as Saber Zrelli proposed is
clearly not within the scope of AAA. Any such work should be done within
the Kerberos WG; I would not expect approval of a standards-track extension
to Kerberos that had passed review here. Note that in order to convince
this WG to take on such work, you will need to convince us that extending
Kerberos is the right way of solving the problem you describe, and that
your propsed extension is the right one. If you want it to happen in a
timely fashion, it of course would help to bring along people willing to do
some of the work (protocol design, document editing, etc); preferably such
people should be familiar with the Kerberos protocol and with the needs of
network operators with respect to the problem you are trying to solve.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list