Kerberos Authorization Data Container Authenticated by Multiple Message Authentication Codes (MACs)
RFC 7751

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: "IETF-Announce" <>
Cc:,,,, "The IESG" <>,,
Subject: Protocol Action: 'Kerberos Authorization Data Container Authenticated by Multiple MACs' to Proposed Standard (draft-ietf-kitten-cammac-04.txt)

The IESG has approved the following document:
- 'Kerberos Authorization Data Container Authenticated by Multiple MACs'
  (draft-ietf-kitten-cammac-04.txt) as Proposed Standard

This document is the product of the Common Authentication Technology Next
Generation Working Group.

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:

Technical Summary

   This document specifies a Kerberos Authorization Data
   container that supersedes AD-KDC-ISSUED.  It allows for multiple
   Message Authentication Codes (MACs) or signatures to authenticate the
   contained Authorization Data elements.  This document updates RFC

Working Group Summary

The review process for this document was quite spread out in time, with
action occurring in occasional bursts.  Almost all of the Kerberos
experts who regularly participate in the WG have contributed to
reviewing this document at some point in its history, but not
necessarily all at the same time.  There was a lot of discussion around
the time of the initial few revisions, but then a lull in activity.
Eventually it got a lot of review comments, which resulted in some
(substantive, but relatively minor) changes to the specification.  It
was unclear what level of review those changes had received, after
essentially no comments were received during a WGLC period for the -08,
so we solicited further comments at that time, and got thorough review
from two Kerberos experts, which the shepherd believes is sufficient.
These post-WGLC reviews were largely editorial, but there were four
issues of substance that were raised, two of which received heavy

There was a second last call for this document - an error was discovered
when this was in the RFC editor queue, it was taken back to the WG
and is now ready to jump all the hoops again.

Document Quality

There are not currently any implementations, but Red Hat and MIT plan
to collaborate to produce an implementation.  MIT has a partial
implementation of an en/decoder for the ASN.1 types. (Not sure if
that's still correct, but I guess it can't have gotten worse:-)


  The document shepherd is Benjamin Kaduk.  
  The irresponsible Area Director is Stephen Farrell.