Kerberos Cryptosystem Negotiation Extension
RFC 4537

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>, 
    krb-wg mailing list <ietf-krb-wg@lists.anl.gov>, 
    krb-wg chair <krb-wg-chairs@tools.ietf.org>
Subject: Protocol Action: 'Kerberos Cryptosystem Negotiation 
         Extension' to Proposed Standard 

The IESG has approved the following document:

- 'Kerberos Cryptosystem Negotiation Extension '
   <draft-zhu-kerb-enctype-nego-05.txt> as a Proposed Standard

This document is the product of the Kerberos Working Group. 

The IESG contact persons are Sam Hartman and Tim Polk.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-zhu-kerb-enctype-nego-05.txt

Technical Summary
 
   This document specifies an extension to the Kerberos protocol where
   the client can send a list of supported encryption types in
   decreasing preference order, and the server then selects an
   encryption type that is supported by both the client and the
server.  This extension is useful in cases where the client and server
support an encryption type that the KDC does not support; existing
mechanisms handle the case where the KDC supports the encryption type.

Working Group Summary
 
   This document represents the consensus of the Kerberos Working Group.

Protocol Quality
 
   At least one implementor has implemented this specification.  This
   document was reviewed for the IESG by Jeffrey Hutzelman and Sam
Hartman.

Note to RFC Editor

  Please make the following changes:

  In the Abstract:

    OLD:

       This document specifies an extension to the Kerberos protocol where
       the client can send a list of supported encryption types in
       decreasing preference order, and the server then selects an
       encryption type that is supported by both the client and the server.

    NEW:

       This document specifies an extension to the Kerberos protocol as
       defined in RFC4120, in which the client can send a list of supported
       encryption types in decreasing preference order, and the server
       then selects an encryption type that is supported by both the
       client and the server.

  At the beginning of section 1:

    OLD:

      Under the current mechanism [RFC4120], the KDC must limit the ticket
      session key encryption type (enctype) chosen for a given server to
      one it believes is supported by both the client and the server.

    NEW:

      Under the current mechanism [RFC4120], the Kerberos Key Distribution
      Center (KDC) must limit the ticket session key encryption type
      (enctype) chosen for a given server to one it believes is supported
      by both the client and the server.