This document specifies an updated Public Key Cryptography for Initial
Authentication in Kerberos (PKINIT, rfc4556) which is not dependent on
SHA-1. In particular, it describes negotiation for Key Derivation
Functions, and includes test vectors for these schemes.
This is a Standards Track document since its core goal is to update
PKINIT, which is a standard part of Kerberos implementations.
Accordingly, it updates rfc4556 (PKINIT), which is Standards Track.
Working Group Summary
This document has been around for quite a long time, originally part of
krb-wg before being taken up by kitten in the re-charter. Implementations
have existed in both MIT krb5 and Heimdal since 2011 and 2008,
respectively. Most shaping review happened under krb-wg, but those
contributors are also participants in kitten.
This document received review and/or implementation from a significant
number of working group contributors. In an ideal world it would have been published much
sooner, but has been repeatedly deprioritized in favor of other work.
There are two independent implementations that interoperate and validate
the test vectors.
Robbie Harwood is the document shepherd. Benjamin Kaduk is the
responsible Area Director.