Skip to main content

kx509 Kerberized Certificate Issuance Protocol in Use in 2012

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: "Nevil Brownlee" <>
Cc: The IESG <>, <>, <>
Subject: Results of IETF-conflict review for <draft-hotz-kx509-05.txt>

The IESG has completed a review of <draft-hotz-kx509> consistent with
RFC5742.  This review is applied to all non-IETF streams.

The IESG has no problem with the publication of 'KX509 Kerberized
Certificate Issuance Protocol in Use in 2012' <draft-hotz-kx509-05.txt>
as an Informational RFC.

The IESG would also like the RFC-Editor to review the comments in
the datatracker (
related to this document and determine whether or not they merit
incorporation into the document. Comments may exist in both the ballot
and the history log.

A URL of this Internet Draft is:

The process for such documents is described at

Thank you,

The IESG Secretary

Ballot Text

Technical Summary

   This document describes a protocol, called kx509, for using Kerberos
   tickets to acquire X.509 certificates.  These certificates may be
   used for many of the same purposes as X.509 certificates acquired by
   other means, but if a Kerberos infrastructure already exists then the
   overhead of using kx509 may be much less.

   While not (previously) standardized, this protocol is already in use
   at several large organizations, and certificates issued with this
   protocol are recognized by the International Grid Trust Federation.

Working Group Summary

  This document is an independent submission undergoing 
  RFC 5742 review.

Document Quality

  Stephen Farrell reviewed the document according to RFC 5472 
  and recommends responding that the IESG has no problem
  with the publication of draft-hotz-kx509 as an informational

  Stephen Farrell (  is the AD managing 
  the 5472 review.
  Russ Albery ( is the document shepherd.

RFC Editor Note

The IESG has concluded that this work is related to IETF work
done in the kerberos and pkix working groups but this
relationship does not prevent publishing.


The following comments are offered as comments that the
ISE and authors might want to take into account.

- 2.1: I'm not clear if the RSA public key is input to the hash
as a DER encoded RSAPublicKey or a a DER encoded
(selfi-signed?) Certificate structure. Appendix C probably
does make that clear, but I didn't try parse the DER to 
check for sure.

RFC Editor Note