Skip to main content

Anonymity Support for Kerberos
draft-ietf-krb-wg-anon-12

Yes

(Tim Polk)

No Objection

(Dan Romascanu)
(Gonzalo Camarillo)
(Jari Arkko)
(Lars Eggert)
(Robert Sparks)
(Ron Bonica)
(Stewart Bryant)

Note: This ballot was opened for revision 12 and is now closed.

Tim Polk Former IESG member
Yes
Yes () Unknown

                            
Adrian Farrel Former IESG member
No Objection
No Objection (2010-10-05) Unknown
idnits (http://tools.ietf.org/tools/idnits/) notes a few issues with
references that other ADs have noted, and one problem with format. It
would be good to sort these out.

---

I like the acknowledgement...

   Sam Hartman and Nicolas Williams were great champions of this work.

It is so often the case that document authors do not champion their
work :-)
Dan Romascanu Former IESG member
No Objection
No Objection () Unknown

                            
Gonzalo Camarillo Former IESG member
No Objection
No Objection () Unknown

                            
Jari Arkko Former IESG member
No Objection
No Objection () Unknown

                            
Lars Eggert Former IESG member
No Objection
No Objection () Unknown

                            
Peter Saint-Andre Former IESG member
No Objection
No Objection (2010-10-05) Unknown
The Security Considerations note that "Because there are plaintext parts of the tickets that are exposed on the wire, such matching by a third party observer is relatively straightforward." Presumably the use of transport layer security would minimize the attack surface here, so at least an informative reference to draft-josefsson-kerberos5-starttls might be appropriate.
Ralph Droms Former IESG member
No Objection
No Objection (2010-10-05) Unknown
Section 4.2:

   The TGS SHOULD NOT
   populate identity-based authorization data into an anonymous ticket
   in that such authorization data typically reveals the client's
   identity.

MUST?  Or, under what conditions can the TGS violate the SHOULD NOT?

Section 7:

   The padata-value field of the PA-PKINIT-KX type padata contains the
   DER [X680] [X690] encoding of the Abstract Syntax Notation One
   (ASN.1) type PA-PKINIT-KX.

Are [X680] and [X690] citations?  There are no matching references in the References section.
Robert Sparks Former IESG member
No Objection
No Objection () Unknown

                            
Ron Bonica Former IESG member
No Objection
No Objection () Unknown

                            
Russ Housley Former IESG member
No Objection
No Objection (2010-10-06) Unknown
  Please consider the comments made by Elwyn Davies in the Gen-ART
  Review posted on 10 September 2010.  The review can be found here:

    http://www.softarmor.com/rai/temp-gen-art/
    draft-krb-wg-ananon-12-davies.txt
Sean Turner Former IESG member
No Objection
No Objection (2010-10-06) Unknown
1) Refer to RFC 5652 vice RFC 3852.

2) Sec 4.1.1: This is pretty nit-noid, but the certificates field is OPTIONAL in the ASN so it might be better to say absent as opposed to empty.  The signerInfos field isn't OPTIONAL so empty is correct.  It's up to you whether you should change this.
Stewart Bryant Former IESG member
No Objection
No Objection () Unknown