Kerberos WG
[101,130] define the well-known Kerberos Protocol (v5). The protocol has many subprotocols, including: Protocol krb-core (45) the core Kerberos protocol, Protocol krb-renew (46), which uses renewable tokens, Protocol krb-forward (47), using forwardable tokens, and Protocol krb-cross-realm (48), allowing cross-realm authentication.
Protocol bootstrap-krb (49), defined in [190], is a mechanism to obtain a Kerberos Ticket Granting Ticket based on a successful AAA authentication and key agreement message exchange. Such a AAA exchange is likely to be executed as part of a network access procedure. This proposal therefore allows Kerberos to be used within a local network without relying on a global Kerberos infrastructure and should allow an incremental deployment of Kerberos and in general a wider distribution of Kerberos into mobile environments without requiring a global Kerberos infrastructure.
Kerberos Set/Change Password (Version 2), Protocol krb-password (50), is defined in [178,185].
Protocol krb-securecard (51), defined in [129], integrates Single-use Authentication Mechanisms based on the SecureCard within Kerberos.
Each one of those seven protocols, (Protocol krb-core, Protocol krb-renew, Protocol krb-forward, Protocol krb-cross-realm, Protocol bootstrap-krb, Protocol krb-password, and Protocol krb-securecard) should provide Fresh Key Agreement and 3P-Authorization (G1-3,6,7,10,12).