Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
draft-josefsson-kerberos5-starttls-09
Yes
(Tim Polk)
No Objection
(Adrian Farrel)
(Cullen Jennings)
(Jari Arkko)
(Lars Eggert)
(Ralph Droms)
(Robert Sparks)
(Ron Bonica)
(Ross Callon)
(Russ Housley)
Note: This ballot was opened for revision 09 and is now closed.
Tim Polk Former IESG member
Yes
Yes
()
Unknown
Adrian Farrel Former IESG member
No Objection
No Objection
()
Unknown
Alexey Melnikov Former IESG member
(was Discuss)
No Objection
No Objection
(2010-02-03)
Unknown
To answer my previous comment: the id-krb5starttls-san OID is already allocated, so nothing needs to be done by IANA.
Cullen Jennings Former IESG member
No Objection
No Objection
()
Unknown
Jari Arkko Former IESG member
(was Discuss)
No Objection
No Objection
()
Unknown
Lars Eggert Former IESG member
No Objection
No Objection
()
Unknown
Peter Saint-Andre Former IESG member
(was Discuss)
No Objection
No Objection
(2010-08-16)
Unknown
Per discussion with the author on the krb-wg list, the responsible AD shall add an RFC Editor note changing this existing text: Many client environments do not have secure long-term storage, which is required to validate certificates. This makes it impossible to use server certificate validation on a large number of client systems. to this agreed-upon modification: In order to safely validate certificates, a client needs access to secure long-term storage. However, many client environments do not provide secure long-term storage (e.g., because the machine has been compromised). This makes it impossible to use server certificate validation on a large number of client systems. NOTE: per further discussion to harmonize the proposed text with suggested text from Magnus Nystrom, the text will be changed to: Since many client environments do not have access to long-term storage, or to long-term storage that is sufficiently secure to enable validation of server certificates, the Kerberos V5 STARTTLS protocol does not require clients to verify server certificates.
Ralph Droms Former IESG member
(was Discuss, No Objection)
No Objection
No Objection
()
Unknown
Robert Sparks Former IESG member
No Objection
No Objection
()
Unknown
Ron Bonica Former IESG member
No Objection
No Objection
()
Unknown
Ross Callon Former IESG member
No Objection
No Objection
()
Unknown
Russ Housley Former IESG member
No Objection
No Objection
()
Unknown