{"draft":"draft-ietf-kitten-pkinit-alg-agility-08","doc_id":"RFC8636","title":"Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Algorithm Agility","authors":["L. Hornquist Astrand","L. Zhu","M. Cullen","G. Hudson"],"format":["ASCII","HTML"],"page_count":"21","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Common Authentication Technology Next Generation","abstract":"This document updates the Public Key Cryptography for Initial\r\nAuthentication in Kerberos (PKINIT) standard (RFC 4556) to remove\r\nprotocol structures tied to specific cryptographic algorithms.  The\r\nPKINIT key derivation function is made negotiable, and the digest\r\nalgorithms for signing the pre-authentication data and the client's\r\nX.509 certificates are made discoverable.\r\n\r\nThese changes provide preemptive protection against vulnerabilities\r\ndiscovered in the future in any specific cryptographic algorithm and\r\nallow incremental deployment of newer algorithms.","pub_date":"July 2019","keywords":[],"obsoletes":[],"obsoleted_by":[],"updates":["RFC4556"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC8636","errata_url":null}