This document updates the Public Key Cryptography for Initial
Authentication in Kerberos (PKINIT) standard (RFC 4556) to remove
protocol structures tied to specific cryptographic algorithms. The
PKINIT key derivation function is made negotiable, and the digest
algorithms for signing the pre-authentication data and the client's
X.509 certificates are made discoverable.
These changes provide preemptive protection against vulnerabilities
discovered in the future in any specific cryptographic algorithm and
allow incremental deployment of newer algorithms.
This document is a product of the Common Authentication Technology Next Generation Working Group of the IETF.
This is now a Proposed Standard.
STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements. Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the
standardization state and status of this protocol. Distribution of this
memo is unlimited.
Requests for special distribution should be addressed to either the
author of the RFC in question, or to [hidden email]. Unless
specifically noted otherwise on the RFC itself, all RFCs are for
The RFC Editor Team
Association Management Solutions, LLC