1. Summary
Benjamin Kaduk is the document shepherd. Stephen Farrell is the
responsible Area Director.
This document specifies a new authorization data element for Kerberos.
This element is designed to contain an indication of the nature of
the initial authentication, for subsequent use in policy decisions.
This is a Standards-Track document as befits its intended role as a
standard part of Kerberos implementations, and Updates RFC 4120 in
accordance with that intention for the new data type to be implemented
in tandem with implementations of RFC 4120.
2. Review and Consensus
There is consensus for this document, which provides a mechanism to
carry information about Kerberos initial authentications to applications
so that richer authorization decisions can be made. The contents of
the authentication indicator are partitioned into URIs to
Level of Assurance Profiles or other (short) strings for site-local
use.
This document is short and simple, and had broad support for adoption
when it was first introduced, even eliciting comments from
WG participants that are usually silent.
There was a minor question of whether the description of what
the semantics conveyey by the authenticaiton indicator are was
sufficiently unambiguous, but the current text does seem to
be sufficient ("indicates that a particular set of requirements
was met during the initial authentication").
This document received sufficient review and has broad interest;
it should have been published much sooner but for inaction
of the shepherd.
3. Intellectual Property
There are no intellectual property disclosures against this document,
and it is so simple that the existence of any related IPR seems minimal.
4. Other Points
This document makes no request of IANA, as the relevant assigned
number has already been assigned, and is managed by the Kerberos
numbers registrar, not IANA.
idnits warns of potential pre-RFC5378 work (due to Updates: 4120
where 4120 is pre-5378), but contains no content from 4120 and
is thus correct as-is.