logo_kerberos.gif

Difference between revisions of "Roadmap"

From K5Wiki
Jump to: navigation, search
(Current roadmap items)
Line 5: Line 5:
 
Target 12 month cycle. (plus/minus 2 months)
 
Target 12 month cycle. (plus/minus 2 months)
   
Releases will have a 2-year maintenance lifetime, subject to changes based on sponsor or community input.
+
Releases will have a 2-year maintenance lifetime, subject to changes based on community input.
   
 
; [[Release_1.8|krb5-1.8]]
 
; [[Release_1.8|krb5-1.8]]
Line 32: Line 32:
   
 
; [[Release_1.14|krb5-1.14]]
 
; [[Release_1.14|krb5-1.14]]
: Branch Aug. 2015
+
: Branch Sep. 2015
: Release Oct. 2015
+
: Release Nov. 2015
   
 
; [[Release_1.15|krb5-1.15]]
 
; [[Release_1.15|krb5-1.15]]
Line 50: Line 50:
 
== Current roadmap items ==
 
== Current roadmap items ==
   
This list will probably eventually be superseded by the backlog at https://ist-jira.atlassian.net/issues/?filter=16402
+
This list will probably eventually be superseded by the [https://ist-jira.atlassian.net/issues/?filter=16402 KRB JIRA backlog].
  +
Target releases for roadmap items are subject to change.
  +
  +
=== krb5-1.15 ===
  +
  +
* [[Projects/SPAKE_Preauthentication]]
  +
* [[Projects/Reporting-friendly KDB dump format improvements]]
  +
* [[Projects/NAPTR|URI discovery for KDC HTTP proxy]]
  +
* Query to efficiently report when a principal is locked out due to password failures
  +
  +
=== krb5-1.16 ===
  +
  +
* Forward secrecy for AP-REQ/AP-REP exchange
  +
* [[Projects/Graceful_recovery_after_destructive_service_rekey]]
  +
  +
== Long-term roadmap items ==
   
 
=== Code quality ===
 
=== Code quality ===
Line 88: Line 88:
 
=== Administrator Experience ===
 
=== Administrator Experience ===
   
  +
* Plugin for kadmin authorizations
  +
* Move more realm-global configuration into KDB
 
* Add interface to purge old keys (1.8 patch?)
 
* Add interface to purge old keys (1.8 patch?)
 
* Add interface to delete keys of specific enctypes (1.8 patch?)
 
* Add interface to delete keys of specific enctypes (1.8 patch?)

Revision as of 16:17, 30 November 2015

This is the outline of the development roadmap for MIT Kerberos. A more comprehensive list of projects is also available; some individual projects have links below.

Timeline

Target 12 month cycle. (plus/minus 2 months)

Releases will have a 2-year maintenance lifetime, subject to changes based on community input.

krb5-1.8
Branch Jan. 2009
Release early Mar. 2010
krb5-1.9
Branch Oct. 2010
Release Dec. 2010
krb5-1.10
Branch Oct. 2011
Release Dec. 2011
krb5-1.11
Branch Oct. 2012
Release Dec. 2012
krb5-1.12
Branch Oct. 2013
Release Dec. 2013
krb5-1.13
Branch Aug. 2014
Release Oct. 2014
krb5-1.14
Branch Sep. 2015
Release Nov. 2015
krb5-1.15
Branch Aug. 2016
Release Oct. 2016

Guiding principles

  • Code quality
  • Developer experience (including modularity)
  • End-user experience
  • Administrator experience
  • Performance
  • Protocol evolution

Current roadmap items

This list will probably eventually be superseded by the KRB JIRA backlog. Target releases for roadmap items are subject to change.

krb5-1.15

krb5-1.16

Long-term roadmap items

Code quality

  • Move toward test-driven development
  • Increase conformance to coding style
    • Selective refactoring
    • Continue formatting cleanup
  • Use cyclomatic complexity metrics to identify cleanup targets

Developer experience

  • Crypto modularity -- make sure PKCS#11 etc. work well
  • API documentation
  • Support readily building subsets
    • "Lite" client
    • "Lite" server
  • KDC Database modularity (long-term)
    • SQLite back end
    • Does the existing DAL make sense?
    • Make data model less "blobby"
    • Track IETF data model work
  • Plugin support improvements
    • GSS-API mechanism glue
    • DNS / host-to-realm mapping
  • Secure co-processor ("would be nice")
  • GSS proxy
  • interposition capability for GSS mechs (useful for GSS proxy) -- external for 1.11
  • Use default keytab for gss_init_sec_context
  • gss_export_cred (useful for async GSS proxy)
  • Improve ASN.1 support code (better support for plugins that need to encode/decode their own ASN.1 types)

End-user experience

  • Improve credential management

Administrator Experience

  • Plugin for kadmin authorizations
  • Move more realm-global configuration into KDB
  • Add interface to purge old keys (1.8 patch?)
  • Add interface to delete keys of specific enctypes (1.8 patch?)
  • Disable enctypes at compile time (1.8 patch?)
  • Improve IPv6 support
  • Improve key rollover
    • Application service keys
  • Decrease DNS-related fragility
  • Plugins for login failure lockout
  • Plugins for audit support
  • Plugins for ticket issuance access control
  • Plugins for domain-realm mapping
  • Friendlier smart card support
  • FAST OTP client in libkrb5 (maybe excluding second-level plugins hardware OTP tokens)
  • Multiple logging levels for trace logging

Performance

  • Decrease DNS traffic
  • Client resolution of KDC (etc.) addresses can be very slow. Decouple address resolution from initiation of KDC communications. (requires some redesign of internal interfaces)
  • Replay cache ("rcache")
    • Improve implementation
    • Support disabling by service type name
  • Enhancements to improve concurrency
    • Explicit state
    • Reduce mutex contention
    • Support asynchronous APIs and frameworks such as Apple's Grand Central Dispatch; begin refactoring code to make this easier

Protocol evolution

  • International strings in protocol (need IETF feedback)
    • Principal names
    • Error strings, etc. (need language tag negotiation)
  • Timestamp-independence
  • Replay-proofing protocols
  • Encryption algorithm updates (SHA-2, SHA-3, CCM, GCM)
  • PKU2U
  • One time password support
  • Multiply-authenticated authorization data container
  • POSIX IDs in authorization data
  • Level of Assurance in authorization data
  • Site-defined string-keyed claims in authorization data
  • X.509 attributes in authorization data
  • FAST preauth sets (e.g. OTP + long-term password)

Completed roadmap items

See Roadmap (completed items).