Minutes for KRB-WG at interim-2012-krb-wg-1
minutes-interim-2012-krb-wg-1-1
| Meeting Minutes | Kerberos (krb-wg) WG | |
|---|---|---|
| Date and time | 2012-02-15 08:00 | |
| Title | Minutes for KRB-WG at interim-2012-krb-wg-1 | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2012-03-25 |
minutes-interim-2012-krb-wg-1-1
Attending: Greg Hudson Sam Hartman Jeffrey Hutzelman Simo Sorce Nico Williams Stephen Farrell Tom Yu Nalin Dahyabhai Thomas Hardjono Zhanna Tsitkova Sam: this is an IETF meeting, subject to IETF property rules Participants should read / be familiar with http://www.ietf.org/about/note-well.html Agenda refresher: 1. purpose of the PAD and CAMMAC drafts (scoping) 2. where it will fit(?) & quick review of how authdata works in general 3. is this 1 draft or 2 4. how about other types of data in authdata 5. type number registration procedures have received an offline request to discuss CAMMAC before PAD 1. Purpose of the PAD and CAMMAC drafts (scoping) - Consensus on call is that the purpose of the PAD draft is to provide authorization attributes in support of authorization and account provisioning for access to application services on POSIX systems. - Consensus on call is that the primary purpose of the CAMMAC draft is to replace KDCIssued. 2. Where it will fit(?) & quick review of how authdata works in general - Agenda item 2 deemed not necessary. 3. Is this one draft or two? - Consensus is in favor of the split of the PAD and CAMMAC drafts. 4. Open issues on the CAMMAC draft: - Consensus is that public key signature (pubkey-signature) need not be specified at this time. - Consensus is that being able to add new types of authentication to the structure is worth discussion. - Discussion of the session id / AD-ID-ANCHOR will be moved to the list. - Partial list of concerns (discussion will move to list) - KDCissued uses the session key of the ticket, but the draft uses the service's long-term key - CAMMAC includes Checksum elements, but doesn't include kvno or enctype, which are probably needed. 4. Open issues on the PAD draft: - Containing arbitrary SAML attributes in a PAD is out of scope for this work, but specifying SAML authz data is in-scope for the WG. - Consensus is that the short name field will only be used to specify a string which can be combined with other identifiers to make them unique if they are not otherwise, validation discussion will be moved to the list. - Issue of central home directories and PAD-Posix-Homedir will be taken to the list.