Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension
Note: This ballot was opened for revision 07 and is now closed.
(Stephen Farrell) Yes
(Jari Arkko) (was Discuss) No Objection
This was a Discuss, but I changed it to a comment because we don't need both me and Kathleen holding the same issue: "I am concerned about the issue that Russ Housley raised in his Gen-ART review: bad practices in creating the freshness tokens creates a security issue. If this cannot be handled in the way that Russ initially suggested (setting a minimum number of bits) then a proper discussion of the issue and recommendations to avoid the problems need to be included in the security considerations section." Other issues from Russ' Gen-ART review should also be addressed (editorial ones + possible max size).
(Alia Atlas) No Objection
(Deborah Brungard) No Objection
(Ben Campbell) No Objection
(Benoît Claise) No Objection
As mentioned by Scott Bradner in his OPS-DIR review, some words about operational guidance (not implementation guidance) would be welcome: " what kind of message could the operator give to their users to minimize the disruption when errors start popping up " would be welcome. See https://www.ietf.org/mail-archive/web/ops-dir/current/msg02267.html.
(Alissa Cooper) No Objection
(Spencer Dawkins) No Objection
(Joel Jaeggli) No Objection
(Suresh Krishnan) No Objection
(Mirja Kühlewind) No Objection
(Terry Manderson) No Objection
(Alexey Melnikov) No Objection
(Kathleen Moriarty) (was Discuss) No Objection
Thanks for covering my prior discuss with a paragraph provided as an RFC editor note.