Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension
Note: This ballot was opened for revision 07 and is now closed.
(Stephen Farrell) Yes
(Jari Arkko) (was Discuss) No Objection
This was a Discuss, but I changed it to a comment because we don't need both me and Kathleen holding the same issue: "I am concerned about the issue that Russ Housley raised in his Gen-ART review: bad practices in creating the freshness tokens creates a security issue. If this cannot be handled in the way that Russ initially suggested (setting a minimum number of bits) then a proper discussion of the issue and recommendations to avoid the problems need to be included in the security considerations section." Other issues from Russ' Gen-ART review should also be addressed (editorial ones + possible max size).
(Alia Atlas) No Objection
Deborah Brungard No Objection
(Ben Campbell) No Objection
(Benoît Claise) No Objection
As mentioned by Scott Bradner in his OPS-DIR review, some words about operational guidance (not implementation guidance) would be welcome: " what kind of message could the operator give to their users to minimize the disruption when errors start popping up " would be welcome. See https://www.ietf.org/mail-archive/web/ops-dir/current/msg02267.html.
Alissa Cooper No Objection
(Spencer Dawkins) No Objection
(Joel Jaeggli) No Objection
Suresh Krishnan No Objection
Mirja Kühlewind No Objection
(Terry Manderson) No Objection
Alexey Melnikov No Objection
(Kathleen Moriarty) (was Discuss) No Objection
Thanks for covering my prior discuss with a paragraph provided as an RFC editor note.