Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
RFC 4557

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>, 
    krb-wg mailing list <ietf-krb-wg@lists.anl.gov>, 
    krb-wg chair <krb-wg-chairs@tools.ietf.org>
Subject: Protocol Action: 'Public Key Cryptography for Initial 
         Authentication in Kerberos' to Proposed Standard 

The IESG has approved the following documents:

- 'Public Key Cryptography for Initial Authentication in Kerberos '
   <draft-ietf-cat-kerberos-pk-init-35.txt> as a Proposed Standard
- 'OCSP Support for PKINIT '
   <draft-ietf-krb-wg-ocsp-for-pkinit-07.txt> as a Proposed Standard

These documents are products of the Kerberos Working Group. 

The IESG contact persons are Sam Hartman and Tim Polk.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-35.txt

Technical Summary
 
   This document describes protocol extensions (hereafter called PKINIT)
   to the Kerberos protocol specification.  These extensions provide a
   method for integrating public key cryptography into the initial
   authentication exchange, by using asymmetric-key signature and/or
   encryption algorithms in pre-authentication data fields.  A
companion document describes the use of OCSP with this protocol. 

 
Working Group Summary
 
   This document is the result of work begun nearly 10 years ago in
   the CAT working group.  In that time the two working groups have
   focused much of their energy on this work, resulting in quite a lot
   of discussion, some heated debate, and a few compromises.  Due to
   timing constraints, one significant stakeholder was forced to adopt
   and deploy an early version of this specification, rather than
   waiting for the final product.  While we regret being unable to
   meet their timeline, much of the intervening time was well-spent,
   and we think the protocol is significantly improved as a result.

   This document represents the consensus of the Kerberos Working
Group.

 
Protocol Quality
 
   Several major Kerberos implementors have indicated an intent to
   implement this protocol; some have done so already.  While the
   current version has not yet been widely deployed, significant
   experience has been gained by wide deployment of earlier versions
   of this protocol.  This protocol was reviewed by Jeffrey Hutzelman
and Sam Hartman.


Note to RFC Editor
  Please make the following changes in draft-ietf-cat-kerberos-pk-init:

  In section 1:

    OLD: The corner-stone of Kerberos V5 is the Ticket and the Authenticator.
    NEW: The corner-stones of Kerberos V5 are the Ticket and the Authenticator.

  In section 3.1.3:

    OLD:

      All structures defined in or imported into this document MUST be
      encoded using Distinguished Encoding Rules (DER) [X680] [X690]
      (unless otherwise noted).  All data structures carried in OCTET
      STRINGs must be encoded according to the rules specified in
      corresponding specifications.

    NEW:

      All structures defined in or imported into this document MUST be
      encoded using Distinguished Encoding Rules (DER) [X680] [X690]
      (unless otherwise noted).  All data structures carried in OCTET
      STRINGs MUST be encoded according to the rules specified in the
      specifications defining each data structure; a reference to the
      appropriate specification is provided for each data structure.

  In section 4:

    OLD: In addition, if any CA is trusted to issue KDC certificates can
    NEW: In addition, if any CA that is trusted to issue KDC certificates can

  Add at the end of section 4:

    NEW:

      The key usage number 6 used by the asChecksum field is also used
      for the authenticator checksum (cksum field of AP-REQ) contained
      in the PA-TGS-REQ preauthentication data contained in a TGS-REQ
      [RFC4120].  This conflict is present for historical reasons; the
      reuse of key usage numbers is strongly discouraged.