[kitten] TLS with Kerberos + ECDHE, new draft

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[kitten] TLS with Kerberos + ECDHE, new draft

Rick van Rein (OpenFortress)

FYI, I have completed a new I-D version for integration of Kerberos
(entwined with ECDH) into TLS.  I announced it at the TLS-WG but thought
Kitten should know about it too.

The central choice made in this draft is to embed Kerberos Ticket +
Authenticator in the client X.509 Certificate, and use an Authenticator
as ClientVerify.  This is awkward, but it means that the rest of the
integration with TLS is very smooth.

> Name: draft-vanrein-tls-kdh
> Revision: 02
> Title: TLS-KDH: Kerberos + Diffie-Hellman in TLS
> Document date: 2016-03-11
> Group: Individual Submission
> Pages: 23
> URL:            https://www.ietf.org/internet-drafts/draft-vanrein-tls-kdh-02.txt
> Status:         https://datatracker.ietf.org/doc/draft-vanrein-tls-kdh/
> Htmlized:       https://tools.ietf.org/html/draft-vanrein-tls-kdh-02
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-vanrein-tls-kdh-02
> Abstract:
>    This specification defines a TLS message flow with Kerberos-based
>    (mutual) authentication, binding in Elliptic-Curve Diffie-Hellman to
>    achieve Forward Secrecy for the session.

FWIW, a demonstration of the embedded Tickets in an X.509 certificate
can be found on https://github.com/arpa2/kerberos2pkix -- inluding a
shell dump and a certificate example.


Kitten mailing list
[hidden email]