---

title: 1.2.3 - Standards navPrev: 1.2.2-microsoft-compatibility.html navPrevText: 1.2.2 - Microsoft compatibility navUp: 1.2-resources.html navUpText: 1.2 - Resources navNext: 2-kerberos-config.html navNextText: 2 - Kerberos Configuration

1.2.3 - Standards

The Kerberos Protocol is based on public RFCs. There is also a Kerberos woking group at the IETF, you can check this page.

Obsoleted RFCs

• RFC 1411 - Telnet Authentication: Kerberos Version 4
• RFC 1510 - The Kerberos Network Authentication Service (V5) (Obsoleted by 4120, 6649)

Valid RFS and updates

• RFC 1964 - The Kerberos Version 5 GSS-API Mechanism (updated by 4121, 6649)
• RFC 2623 - NFS Version 2 and Version 3 Security Issues and the NFS Protocol's Use of RPCSEC_GSS and Kerberos V5
• RFC 2712 - Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
• RFC 2942 - Telnet Authentication: Kerberos Version 5
• RFC 3244 - Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
• RFC 3961 - Encryption and Checksum Specifications for Kerberos 5
• RFC 3962 - Advanced Encryption Standard (AES) Encryption for Kerberos 5
• RFC 4120 - The Kerberos Network Authentication Service (V5) (Updated by 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806)
• RFC 4121 - The Kerberos Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 (Updated by 6112, 6542, 6649)
• RFC 4402 - A Pseudo-Random Function (PRF) for the Kerberos V Generic Security Service Application Program Interface (GSS-API) Mechanism
• RFC 4537 - Kerberos Cryptosystem Negotiation Extension
• RFC 4556 - Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (updated by 6612)
• RFC 4557 - Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
• RFC 4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
• RFC 4752 - The Kerberos V5 (“GSSAPI”) Simple Authentication and Security Layer (SASL) Mechanism
• RFC 4757 - The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows (updated by 6649)
• RFC 5021 - Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP
• RFC 5179 - Generic Security Service Application Program Interface (GSS-API) Domain-Based Service Names Mapping for the Kerberos V GSS Mechanism
• RFC 5349 - Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
• RFC 5868 - Problem Statement on the Cross-Realm Operation of Kerberos
• RFC 5896 - Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy
• RFC 6111 - Additional Kerberos Naming Constraints
• RFC 6112 - Anonymity Support for Kerberos
• RFC 6113 - A Generalized Framework for Kerberos Pre-Authentication
• RFC 6251 - Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
• RFC 6448 - The Unencrypted Form of Kerberos 5 KRB-CRED Message
• RFC 6542 - Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility
• RFC 6560 - One-Time Password (OTP) Pre-Authentication
• RFC 6649 - Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos
• RFC 6784 - Kerberos Options for DHCPv6
• RFC 6803 - Camellia Encryption for Kerberos 5
• RFC 6806 - Kerberos Principal Name Canonicalization and Cross-Realm Referrals

Here are some drafts :

• draft-burgin-kerberos-aes-cbc-hmac-sha2 - AES Encryption with HMAC-SHA2 for Kerberos 5
• draft-burgin-kerberos-suiteb - Suite B Profile for Kerberos 5
• draft-ietf-kitten-kerberos-iana-registries - Move Kerberos protocol parameter registries to IANA
• draft-ietf-krb-wg-cammac - Kerberos Authorization Data Container Authenticated by Multiple MACs
• draft-ietf-krb-wg-kdc-model - An information model for Kerberos version 5
• draft-ietf-krb-wg-pkinit-alg-agility - PKINIT Algorithm Agility
• draft-perez-krb-wg-gss-preauth - GSS-API pre-authentication for Kerberos draft-perez-krb-wg-gss-preauth-02