Common Authentication Technology Next Generation (kitten)
---------------------------------------------------------

 Charter
 Last Modified: 2011-12-09

 Current Status: Active Working Group

 Chair(s):
     Shawn Emery  <shawn.emery@oracle.com>
     Tom Yu  <tlyu@mit.edu>
     Alexey Melnikov  <alexey.melnikov@isode.com>

 Security Area Director(s):
     Stephen Farrell  <stephen.farrell@cs.tcd.ie>
     Sean Turner  <turners@ieca.com>

 Security Area Advisor:
     Stephen Farrell  <stephen.farrell@cs.tcd.ie>

 Mailing Lists: 
     General Discussion:kitten@ietf.org
     To Subscribe:      https://www.ietf.org/mailman/listinfo/kitten
     Archive:           http://www.ietf.org/mail-archive/web/kitten/current/maillist.html

Description of Working Group:

The Generic Security Services (GSS) API and Simple Authentication and
Security Layer (SASL) provide various applications with a security
framework for secure network communication. The purpose of the Common
Authentication Technology Next Generation (Kitten) working group (WG) is
to develop extensions/improvements to the GSS-API, shepherd specific
GSS-API security mechanisms, and provide guidance for any new SASL-
related submissions.

This working is chartered to specify the following extensions and
improvements (draft-yu-kitten-api-wishlist-00) to the GSS-API:

* Provide new interfaces for credential management, which include the
following:
   initializing credentials
   iterating credentials
   exporting/importing credentials

* Specify interface for asynchronous calls.

* Negotiable replay cache avoidance

* Define interfaces for better error message reporting.

* Provide a more programmer friendly GSS-API for application developers.
This could include reducing the number of interface parameters, for
example, by eliminating parameters which are commonly used with the
default values.

* Specify an option for exporting partially-established security
  contexts and possibly a utility function for exporting security
  contexts in an encrypted form, as well as a corresponding utility
  function to decrypt and import such security context tokens.

This WG is also chartered to finalize proposed SASL mechanisms as
GSS-API mechanisms (based on RFC 5801):

* A SASL Mechanism for OpenID

   draft-ietf-kitten-sasl-openid


* SASL Mechanisms for SAML:

   draft-ietf-kitten-sasl-saml
   draft-cantor-ietf-kitten-saml-ec

The SAML mechanism drafts will include applicability
statement text to highlight when each is appropriate
for use.

* A SASL Mechanism for OAuth

   draft-mills-kitten-sasl-oauth

The transition from SASL to GSS-API mechanisms will allow a greater set
of applications to utilize said mechanisms with SASL implementations
that support the use of GSS-API mechanisms in SASL (RFC 5801).

This WG should review proposals for new SASL and GSS-API mechanisms, but
may take on work on such mechanisms only through a revision of this
charter. The WG should also review non-mechanism proposals related to
SASL and the GSS-API. However, work that adds SASL or GSS-API support in
application protocols is out of scope and should be handled by the
corresponding application's WG.

Deliverables:

* GSS-API: initializing credentials

* GSS-API: iterating credentials

* GSS-API: exporting/importing credentials

* GSS-API: specification for asynchronous calls

* GSS-API: interfaces/improvements for better error message reporting

* GSS-API: programmer friendly interfaces

* SASL: SASL mechanism for OpenID

* SASL: SASL mechanisms for SAML

* SASL: SASL mechanism for OAuth

* GSS-API: publish draft-ietf-kitten-gssapi-extensions-iana

 Goals and Milestones:

   Jul 2011       Submit SASL OpenID mechanism to the IESG as Proposed Standard 

   Jul 2011       Submit naming-exts to the IESG as Proposed Standard 

   Jul 2011       WGLC on gssapi-extensions-iana 

   Aug 2011       Submit SASL SAML mechanisms to the IESG as Proposed Standard 

   Sep 2011       Submit gssapi-extensions-iana to the IESG as Proposed Standard 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
May 2005 Dec 2011   <draft-ietf-kitten-gssapi-naming-exts-12.txt>
                GSS-API Naming Extensions 

Aug 2010 Feb 2012   <draft-ietf-kitten-sasl-openid-08.txt>
                A SASL & GSS-API Mechanism for OpenID 

Sep 2010 Feb 2012   <draft-ietf-kitten-sasl-saml-09.txt>
                A SASL and GSS-API Mechanism for SAML 

Aug 2011 Aug 2011   <draft-ietf-kitten-sasl-saml-ec-00.txt>
                SAML Enhanced Client SASL and GSS-API Mechanisms 

Nov 2011 Nov 2011   <draft-ietf-kitten-sasl-oauth-00.txt>
                A SASL and GSS-API Mechanism for OAuth 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC4178Standard  Oct 2005    The Simple and Protected Generic Security 
                       ServiceApplication Program Interface (GSS-API) 
                       Negotiation Mechanism 

RFC4401Standard  Feb 2006    A Pseudo-Random Function (PRF) API Extension for the 
                       Generic Security Service Application Program Interface 
                       (GSS-API) 

RFC4402Standard  Feb 2006    A Pseudo-Random Function (PRF) for the Kerberos V 
                       Generic Security Service Application Program Interface 
                       (GSS-API) Mechanism 

RFC4768 I    Dec 2006    Desired Enhancements to Generic Security Services 
                       Application Program Interface (GSS-API) Version 3 Naming 

RFC5178 PS   May 2008    Generic Security Service Application Program Interface 
                       (GSS-API) Internationalization and Domain-Based Service 
                       Names and Name Type 

RFC5179 PS   May 2008    Generic Security Service Application Program Interface 
                       (GSS-API) Domain-Based Service Names Mapping for the 
                       Kerberos V GSS Mechanism 

RFC5554 PS   May 2009    Clarifications and Extensions to the Generic Security 
                       Service Application Program Interface (GSS-API) for the 
                       Use of Channel Bindings 

RFC5588 PS   Jul 2009    Generic Security Service Application Program Interface 
                       (GSS-API) Extension for Storing Delegated Credentials 

RFC5587 PS   Jul 2009    Extended Generic Security Service Mechanism Inquiry APIs 

RFC5653 PS   Aug 2009    Generic Security Service API Version 2: Java Bindings 
                       Update 

RFC6331 I    Jul 2011    Moving DIGEST-MD5 to Historic