Skip to main content

Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
draft-josefsson-kerberos5-starttls-09

Yes

(Tim Polk)

No Objection

(Adrian Farrel)
(Cullen Jennings)
(Jari Arkko)
(Lars Eggert)
(Ralph Droms)
(Robert Sparks)
(Ron Bonica)
(Ross Callon)
(Russ Housley)

Note: This ballot was opened for revision 09 and is now closed.

Tim Polk Former IESG member
Yes
Yes () Unknown

                            
Adrian Farrel Former IESG member
No Objection
No Objection () Unknown

                            
Alexey Melnikov Former IESG member
(was Discuss) No Objection
No Objection (2010-02-03) Unknown
To answer my previous comment: the id-krb5starttls-san OID is already allocated, so nothing needs to be done by IANA.
Cullen Jennings Former IESG member
No Objection
No Objection () Unknown

                            
Jari Arkko Former IESG member
(was Discuss) No Objection
No Objection () Unknown

                            
Lars Eggert Former IESG member
No Objection
No Objection () Unknown

                            
Peter Saint-Andre Former IESG member
(was Discuss) No Objection
No Objection (2010-08-16) Unknown
Per discussion with the author on the krb-wg list, the responsible AD shall add an RFC Editor note changing this existing text:

   Many client environments do not have secure long-term storage, which
   is required to validate certificates.  This makes it impossible to
   use server certificate validation on a large number of client
   systems.

to this agreed-upon modification:

   In order to safely validate certificates, a client needs access to
   secure long-term storage.  However, many client environments do not
   provide secure long-term storage (e.g., because the machine has been
   compromised).  This makes it impossible to use server certificate
   validation on a large number of client systems.

NOTE: per further discussion to harmonize the proposed text with suggested text from Magnus Nystrom, the text will be changed to:

   Since many client environments do not have access to long-term
   storage, or to long-term storage that is sufficiently secure to
   enable validation of server certificates, the Kerberos V5
   STARTTLS protocol does not require clients to verify server
   certificates.
Ralph Droms Former IESG member
(was Discuss, No Objection) No Objection
No Objection () Unknown

                            
Robert Sparks Former IESG member
No Objection
No Objection () Unknown

                            
Ron Bonica Former IESG member
No Objection
No Objection () Unknown

                            
Ross Callon Former IESG member
No Objection
No Objection () Unknown

                            
Russ Housley Former IESG member
No Objection
No Objection () Unknown