Authentication Indicator in Kerberos Tickets
draft-ietf-kitten-krb-auth-indicator-07

[Ballot comment]
ASN.1 needs a reference. Also, it would be good to have an example of how the Level of Assurance URIs can be used, as I couldn't figure this out just by looking at already registered values from the referenced IANA registry.

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has reviewed draft-ietf-kitten-krb-auth-indicator-04.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: kitten-chairs@ietf.org, "Benjamin Kaduk" , kitten@ietf.org, kaduk@mit.edu, draft-ietf-kitten-krb-auth-indicator@ietf.org, stephen.farrell@cs.tcd.ie
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Authentication Indicator in Kerberos Tickets) to Proposed Standard


The IESG has received a request from the Common Authentication Technology
Next Generation WG (kitten) to consider the following document:
- 'Authentication Indicator in Kerberos Tickets'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-01-06. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document updates RFC 4120 in order to specify an extension in
  the Kerberos protocol.  It defines a new authorization data type AD-
  AUTHENTICATION-INDICATOR.  The purpose of introducing this data type
  is to include an indicator of the strength of a client's
  authentication in service tickets so that application services can
  use it as an input into policy decisions.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-auth-indicator/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-auth-indicator/ballot/


No IPR declarations have been submitted directly on this I-D.

1. Summary

Benjamin Kaduk is the document shepherd.  Stephen Farrell is the
responsible Area Director.

This document specifies a new authorization data element for Kerberos.
This element is designed to contain an indication of the nature of
the initial authentication, for subsequent use in policy decisions.

This is a Standards-Track document as befits its intended role as a
standard part of Kerberos implementations, and Updates RFC 4120 in
accordance with that intention for the new data type to be implemented
in tandem with implementations of RFC 4120.


2. Review and Consensus

There is consensus for this document, which provides a mechanism to
carry information about Kerberos initial authentications to applications
so that richer authorization decisions can be made.  The contents of
the authentication indicator are partitioned into URIs to
Level of Assurance Profiles or other (short) strings for site-local
use.

This document is short and simple, and had broad support for adoption
when it was first introduced, even eliciting comments from
WG participants that are usually silent.

There was a minor question of whether the description of what
the semantics conveyey by the authenticaiton indicator are was
sufficiently unambiguous, but the current text does seem to
be sufficient ("indicates that a particular set of requirements
was met during the initial authentication").

This document received sufficient review and has broad interest;
it should have been published much sooner but for inaction
of the shepherd.

3. Intellectual Property

There are no intellectual property disclosures against this document,
and it is so simple that the existence of any related IPR seems minimal.

4. Other Points

This document makes no request of IANA, as the relevant assigned
number has already been assigned, and is managed by the Kerberos
numbers registrar, not IANA.

idnits warns of potential pre-RFC5378 work (due to Updates: 4120
where 4120 is pre-5378), but contains no content from 4120 and
is thus correct as-is.