The cross-realm problem statement document previously passed last call in
this working group and was forwarded to the IESG for consideration for
publication as an informational RFC. During IETF last call, comments and
additional input were received which resulted in substantial changes to the
document. As a result, this note announces the start of a new three-week
last call within the Kerberos Working Group on whether to send the revised
document to the IESG.
It is my belief that the last paragraph of the revised abstract (quoted
below) attempts to turn what began as a problem statement document into a
requirements document, and that we do not have consensus for this change.
As a result, I have informed the authors that that paragraph will need to
be removed when the document is revised to address last call comments. If
anyone disagrees with this assessment, please let me know.
Title: Problem statement on the cross-realm operation of Kerberos
Filename: draft-ietf-krb-wg-cross-problem-statement-05.txt
Intended Status: Informational
The Kerberos protocol is today one of the most widely deployed
authentication protocols in the Internet. In order for a Kerberos
deployment to operate in a scalable manner, different Kerberos realms
must interoperate in such a way that cross-realm operations can be
performed efficiently and securely.
This document provides background information regarding large scale
Kerberos deployments in the industrial sector, with the aim of
identifying issues in the current Kerberos cross-realm authentication
model as defined in RFC4120.
As industrial automation is moving towards wider adoption of Internet
standards, the Kerberos authentication protocol represents one of the
best alternatives for ensuring the confidentiality and the integrity
of communications in control networks while meeting performance and
security requirements.
However, the use of Kerberos cross-realm operations in large scale
industrial systems may introduce issues that could cause performance
and reliability problems. This document describes some examples of
actual large scale industrial systems, and lists requirements and
restriction regarding authentication operations in such environments.
The current document also identifies a number of requirements derived
from the industrial automation field. Although they are found in the
field of industrial automation, these requirements are general enough
and are applicable to the problem of Kerberos cross-realm operations.
These requirements need to be satisfied by proposed Kerberos cross-
realm frameworks or architectures, as well as specific solutions that
implement those frameworks or architectures.
This last call will expire at 23:59 EDT on Nov 30, 2009. Note that this
provides more than the usual amount of time for comments, due to the
ongoing 76th IETF meeting in Hiroshima.
Please review this document and send any comments to the Kerberos Working
Group mailing list, <
ietf-krb-wg@...>, by that date. The file can be
obtained via
http://tools.ietf.org/html/draft-ietf-krb-wg-cross-problem-statement-05-- Jeffrey T. Hutzelman (N3NHS) <
jhutz+@...>
Co-Chair, IETF Kerberos Working Group
Carnegie Mellon University - Pittsburgh, PA
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@...
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
