[kitten] Last Call: <draft-ietf-kitten-krb-spake-preauth-07.txt> (SPAKE Pre-Authentication) to Proposed Standard
The IESG has received a request from the Common Authentication Technology
Next Generation WG (kitten) to consider the following document: - 'SPAKE
<draft-ietf-kitten-krb-spake-preauth-07.txt> as Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
[hidden email] mailing lists by 2020-05-26. Exceptionally, comments may
be sent to [hidden email] instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.
This document defines a new pre-authentication mechanism for the
Kerberos protocol that uses a password authenticated key exchange.
This document has three goals. First, increase the security of
Kerberos pre-authentication exchanges by making offline brute-force
attacks infeasible. Second, enable the use of second factor
authentication without relying on FAST. This is achieved using the
existing trust relationship established by the shared first factor.
Third, make Kerberos pre-authentication more resilient against time
synchronization errors by removing the need to transfer an encrypted
timestamp from the client.