kx509 Kerberized Certificate Issuance Protocol in Use in 2012
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: "Nevil Brownlee" <firstname.lastname@example.org> Cc: The IESG <email@example.com>, <firstname.lastname@example.org>, <email@example.com> Subject: Results of IETF-conflict review for <draft-hotz-kx509-05.txt> The IESG has completed a review of <draft-hotz-kx509> consistent with RFC5742. This review is applied to all non-IETF streams. The IESG has no problem with the publication of 'KX509 Kerberized Certificate Issuance Protocol in Use in 2012' <draft-hotz-kx509-05.txt> as an Informational RFC. The IESG would also like the RFC-Editor to review the comments in the datatracker (http://datatracker.ietf.org/doc/draft-hotz-kx509/) related to this document and determine whether or not they merit incorporation into the document. Comments may exist in both the ballot and the history log. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-hotz-kx509/ The process for such documents is described at http://www.rfc-editor.org/indsubs.html Thank you, The IESG Secretary
Technical Summary This document describes a protocol, called kx509, for using Kerberos tickets to acquire X.509 certificates. These certificates may be used for many of the same purposes as X.509 certificates acquired by other means, but if a Kerberos infrastructure already exists then the overhead of using kx509 may be much less. While not (previously) standardized, this protocol is already in use at several large organizations, and certificates issued with this protocol are recognized by the International Grid Trust Federation. Working Group Summary This document is an independent submission undergoing RFC 5742 review. Document Quality Stephen Farrell reviewed the document according to RFC 5472 and recommends responding that the IESG has no problem with the publication of draft-hotz-kx509 as an informational RFC. Personnel Stephen Farrell (firstname.lastname@example.org) is the AD managing the 5472 review. Russ Albery (email@example.com) is the document shepherd. RFC Editor Note The IESG has concluded that this work is related to IETF work done in the kerberos and pkix working groups but this relationship does not prevent publishing. IESG Note The following comments are offered as comments that the ISE and authors might want to take into account. - 2.1: I'm not clear if the RSA public key is input to the hash as a DER encoded RSAPublicKey or a a DER encoded (selfi-signed?) Certificate structure. Appendix C probably does make that clear, but I didn't try parse the DER to check for sure.