kx509 Kerberized Certificate Issuance Protocol in Use in 2012
draft-hotz-kx509-06

[Ballot comment]
[*** Update: the following comment has been addressed in the -05 version; thanks! ***]

Stephen notes my concern about the "not (previously) standardized" bit in the abstract.  But I want to elevate it above a kinda-sorta comment, and say that this document *does* constitute an end run around krb-wg if "(previously)" is not removed, in that it tries to mislead readers about the standard status of this document, and only krb-wg can write a kerberos standard.  (I'm sure that's not the intent, and that the author will likely be happy to remove the word; I just want to be sure about keeping it on the record.)

[Ballot comment]
Nice capture of issues by Stephen in the IESG note in the write-up. (Not sure this is the right place to capture it, but so long as the ISE finds it, who cares?)

IANA has reviewed draft-hotz-kx509-04 and has the following comments:

IANA would have a question about this document.

IANA Action:
In the GSSAPI/Kerberos/SASL Service names registry in the Generic
Security Service Application Program Interface (GSSAPI)/Kerberos/Simple
Authentication and Security Layer (SASL) Service Names registry
located at:

http://www.iana.org/assignments/gssapi-service-names/gssapi-service-names.xml

a new service name would be added as follows:

Service Name: kca_service
Usage: Kerberized Certificate Authority
Reference: [ RFC-to-be ]

However, the document says:

"This service is conventionally run on UDP port 9878, but this memo
does not request that IANA standardize the port number."

Unless there is a reason not to, IANA requests that the document
request that port be allocated to the Kerberized Certificate Issuance
Protocol.

[Ballot discuss]
Stephen notes my concern about the "not (previously) standardized" bit in the abstract.  But I want to elevate it above a kinda-sorta comment, and say that this document *does* constitute an end run around krb-wg if "(previously)" is not removed, in that it tries to mislead readers about the standard status of this document, and only krb-wg can write a kerberos standard.  (I'm sure that's not the intent, and that the author will likely be happy to remove the word; I just want to be sure about keeping it on the record.)

[Ballot discuss]
Stephen notes my concern about the "not (previously) standardized" bit in the abstract.  But I want to elevate it above a kinda-sorta comment, and say that this document *does* constitute an end run around krb-wg if "(previously)" is not removed, in that it tries to mislead readers about the standard status of this document, and only krb-wg can write a kerberos standard.

The draft draft--hotz-kx509-04
is ready for publication from the Independent Stream.
Please ask IESG to review it, as set out in RFC 5742.

The following is some background for this draft, please forward it
to IESG along with this request ...

This draft's abstract says:
This document describes a protocol, called kx509, for using Kerberos
tickets to acquire X.509 certificates. These certificates may be
used for many of the same purposes as X.509 certificates acquired by
other means, but if a Kerberos infrastructure already exists then the
overhead of using kx509 may be much less.

While not (previously) standardized, this protocol is already in use
at several large organizations, and certificates issued with this
protocol are recognized by the International Grid Trust Federation.

It was reviewed by Jim Schaad, who suggested several improvements.
The authors have made these, I believe this version is ready for
publication.

Thanks, Nevil (ISE)

PS, for IANA:
I'm ccing you on this because its IANA Considerations section says:
IANA is requested to add "kca_service" as a GSSAPI/Kerberos/SASL
service name for a "Kerberized Certificate Authority".

This service is conventionally run on UDP port 9878, but this memo
does not request that IANA standardize the port number.

Please review this request.