Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
RFC 6251

Note: This ballot was opened for revision 09 and is now closed.

(Tim Polk) Yes

(Jari Arkko) (was Discuss) No Objection

(Ron Bonica) No Objection

(Ross Callon) No Objection

(Ralph Droms) (was Discuss, No Objection) No Objection

(Lars Eggert) No Objection

(Adrian Farrel) No Objection

(Russ Housley) No Objection

(Cullen Jennings) No Objection

Alexey Melnikov (was Discuss) No Objection

Comment (2010-02-03)
No email
send info
To answer my previous comment: the id-krb5starttls-san OID is already allocated, so nothing needs to be done by IANA.

(Peter Saint-Andre) (was Discuss) No Objection

Comment (2010-08-16)
No email
send info
Per discussion with the author on the krb-wg list, the responsible AD shall add an RFC Editor note changing this existing text:

   Many client environments do not have secure long-term storage, which
   is required to validate certificates.  This makes it impossible to
   use server certificate validation on a large number of client
   systems.

to this agreed-upon modification:

   In order to safely validate certificates, a client needs access to
   secure long-term storage.  However, many client environments do not
   provide secure long-term storage (e.g., because the machine has been
   compromised).  This makes it impossible to use server certificate
   validation on a large number of client systems.

NOTE: per further discussion to harmonize the proposed text with suggested text from Magnus Nystrom, the text will be changed to:

   Since many client environments do not have access to long-term
   storage, or to long-term storage that is sufficiently secure to
   enable validation of server certificates, the Kerberos V5
   STARTTLS protocol does not require clients to verify server
   certificates.

(Robert Sparks) No Objection