Technical Summary
This document specifies a Kerberos Authorization Data
container that supersedes AD-KDC-ISSUED. It allows for multiple
Message Authentication Codes (MACs) or signatures to authenticate the
contained Authorization Data elements. This document updates RFC
4120.
Working Group Summary
The review process for this document was quite spread out in time, with
action occurring in occasional bursts. Almost all of the Kerberos
experts who regularly participate in the WG have contributed to
reviewing this document at some point in its history, but not
necessarily all at the same time. There was a lot of discussion around
the time of the initial few revisions, but then a lull in activity.
Eventually it got a lot of review comments, which resulted in some
(substantive, but relatively minor) changes to the specification. It
was unclear what level of review those changes had received, after
essentially no comments were received during a WGLC period for the -08,
so we solicited further comments at that time, and got thorough review
from two Kerberos experts, which the shepherd believes is sufficient.
These post-WGLC reviews were largely editorial, but there were four
issues of substance that were raised, two of which received heavy
There was a second last call for this document - an error was discovered
when this was in the RFC editor queue, it was taken back to the WG
and is now ready to jump all the hoops again.
Document Quality
There are not currently any implementations, but Red Hat and MIT plan
to collaborate to produce an implementation. MIT has a partial
implementation of an en/decoder for the ASN.1 types. (Not sure if
that's still correct, but I guess it can't have gotten worse:-)
Personnel
The document shepherd is Benjamin Kaduk.
The irresponsible Area Director is Stephen Farrell.