A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Common Authentication Technology Next Generation WG of the IETF.
Title : PKINIT Algorithm Agility
Authors : Love Hornquist Astrand
Filename : draft-ietf-kitten-pkinit-alg-agility-08.txt
Pages : 20
Date : 2019-04-20
This document updates the Public Key Cryptography for Initial
Authentication in Kerberos standard (PKINIT) [RFC4556], to remove
protocol structures tied to specific cryptographic algorithms. The
PKINIT key derivation function is made negotiable, and the digest
algorithms for signing the pre-authentication data and the client's
X.509 certificates are made discoverable.
These changes provide preemptive protection against vulnerabilities
discovered in the future against any specific cryptographic
algorithm, and allow incremental deployment of newer algorithms.