Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension
RFC 8070

Note: This ballot was opened for revision 07 and is now closed.

(Stephen Farrell) Yes

(Jari Arkko) (was Discuss) No Objection

Comment (2016-12-01)
No email
send info
This was a Discuss, but I changed it to a comment because we don't need both me and Kathleen holding the same issue: "I am concerned about the issue that Russ Housley raised in his Gen-ART review: bad practices in creating the freshness tokens creates a security issue. If this cannot be handled in the way that Russ initially suggested (setting a minimum number of bits) then a proper discussion of the issue and recommendations to avoid the problems need to be included in the security considerations section."

Other issues from Russ' Gen-ART review should also be addressed (editorial ones + possible max size).

(Alia Atlas) No Objection

Deborah Brungard No Objection

(Ben Campbell) No Objection

(Benoît Claise) No Objection

Comment (2016-12-01)
No email
send info
As mentioned by Scott Bradner in his OPS-DIR review, some words about operational guidance (not implementation guidance) would be welcome: "
what kind of message could the operator give to their users to minimize the disruption when errors start popping up " would be welcome.
See https://www.ietf.org/mail-archive/web/ops-dir/current/msg02267.html.

Alissa Cooper No Objection

(Spencer Dawkins) No Objection

(Joel Jaeggli) No Objection

Suresh Krishnan No Objection

Mirja Kühlewind No Objection

(Terry Manderson) No Objection

Alexey Melnikov No Objection

(Kathleen Moriarty) (was Discuss) No Objection

Comment (2016-12-20)
No email
send info
Thanks for covering my prior discuss with a paragraph provided as an RFC editor note.

Alvaro Retana No Objection