Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
Note: This ballot was opened for revision 09 and is now closed.
(Tim Polk) Yes
(Jari Arkko) (was Discuss) No Objection
(Ron Bonica) No Objection
(Ross Callon) No Objection
(Ralph Droms) (was Discuss, No Objection) No Objection
(Lars Eggert) No Objection
(Adrian Farrel) No Objection
(Russ Housley) No Objection
(Cullen Jennings) No Objection
Alexey Melnikov (was Discuss) No Objection
To answer my previous comment: the id-krb5starttls-san OID is already allocated, so nothing needs to be done by IANA.
(Peter Saint-Andre) (was Discuss) No Objection
Per discussion with the author on the krb-wg list, the responsible AD shall add an RFC Editor note changing this existing text: Many client environments do not have secure long-term storage, which is required to validate certificates. This makes it impossible to use server certificate validation on a large number of client systems. to this agreed-upon modification: In order to safely validate certificates, a client needs access to secure long-term storage. However, many client environments do not provide secure long-term storage (e.g., because the machine has been compromised). This makes it impossible to use server certificate validation on a large number of client systems. NOTE: per further discussion to harmonize the proposed text with suggested text from Magnus Nystrom, the text will be changed to: Since many client environments do not have access to long-term storage, or to long-term storage that is sufficiently secure to enable validation of server certificates, the Kerberos V5 STARTTLS protocol does not require clients to verify server certificates.