[01:54:58] --- Jeffrey Altman has joined
[01:57:49] * Jeffrey Altman has changed the subject to: IETF63 Kerberos WG
[02:01:35] --- raeburn@jis.mit.edu has joined
[02:04:23] --- raeburn@jis.mit.edu has left
[02:07:35] --- Ken Raeburn has joined
[02:32:40] --- Ken Raeburn has left: Disconnected
[02:32:53] --- Jeffrey Altman has left
[02:45:51] --- Jeffrey Altman has joined
[02:48:48] --- Jeffrey Altman has left: Disconnected
[02:52:38] --- Ken Raeburn has joined
[03:20:39] --- lha has joined
[04:42:57] --- shima has joined
[05:05:17] --- Ken Raeburn has left: Disconnected
[05:05:46] --- lha has left: Logged out
[05:23:54] --- shima has left
[06:22:27] --- Ken Raeburn has joined
[06:26:28] --- Ken Raeburn has left: Disconnected
[06:28:40] --- sommerfeld has joined
[06:31:51] --- Ken Raeburn has joined
[06:36:25] --- tlyu has joined
[06:38:23] --- jhutz has joined
[06:39:36] --- hartmans has joined
[06:40:17] <Ken Raeburn> RFC 4120, 4121 published. Woo hoo!
[06:40:51] <Ken Raeburn> PKINIT draft 27. Getting close. Really. OCSP-for-PKINIT. Extensions, 3 drafts. Set/chg passwd.
[06:41:13] --- leifj has joined
[06:41:17] <leifj> the sound sucks
[06:41:25] --- ludomp has joined
[06:41:49] <Ken Raeburn> Technical discussion...
[06:42:08] <leifj> is there something obviously wrong with the mics?
[06:42:19] <hartmans> Sound over the web or in the room?
[06:42:34] <leifj> web
[06:42:35] <Ken Raeburn> No, Jeff was pretty clear in the room, via mic...
[06:43:31] <Ken Raeburn> PKINIT Open Issues. Ticket 837, KDC certificates.
[06:44:13] <Ken Raeburn> Ah, Larry and Love and Nico arrive.
[06:45:53] --- sts has joined
[06:47:26] <leifj> thx for trying anyway... (I just barely hear jeff saying something abou that)
[06:47:53] --- lha has joined
[06:48:30] <Ken Raeburn> Two questions to be answered.
[06:48:54] <Ken Raeburn> 1) Is cert appropriate for use by pkinit kdc? 2) Does the cert refer to the kdc for the realm we're talking to?
[06:49:17] <Ken Raeburn> Do people agree that those are the right way to break it down?
[06:49:29] <Ken Raeburn> (humm)
[06:50:32] <Ken Raeburn> For each q, need do figure out how to make determination, and what should be required to implement.
[06:51:09] --- Jeffrey Altman has joined
[06:52:09] <Ken Raeburn> Discussion of what "required to implement" means in context.
[06:52:49] <Ken Raeburn> Jeff listed 3 ways in email to do q1, which I'm not typing fast enough to keep up with.
[06:53:08] <Ken Raeburn> 5 possible tests for q2.
[06:54:15] <Ken Raeburn> Neither list is necessarily exhaustive.
[06:56:47] --- warlord has joined
[06:56:48] <Ken Raeburn> (someone else take notes for a bit?)
[06:56:50] <hartmans> BTw, if the sound is wrong you might send mail to ietf-63@ietf.org
[06:57:11] <leifj> thx
[06:59:59] --- shima has joined
[07:02:39] --- nico has joined
[07:08:48] <leifj> probably true that client certificates in general are signed by special purpouse ca
[07:09:42] <nico> really?
[07:11:43] <leifj> I would guess that if you have CA issuing certs for users/clients you want to use that for pkinit rather than create a separate one
[07:11:48] <leifj> but I could be wrong.
[07:16:27] <nico> I think the question, for user certs, is pretty much immaterial
[07:16:52] <sommerfeld> for vpn purposes i've been tempted to try out a separate CA for vpn access points vs. for vpn clients
[07:17:16] <nico> yes
[07:17:54] <nico> but the point is that whether that is or isn't the case doesn't seem likely to impact PKINIT deployability
[07:18:08] <leifj> it all depends on how 'big' your CA is but I agree that since you have to issue new certs anyway it may be a non-issue
[07:18:30] <nico> I can imagine the clients and KDCs using certs issued by general purpose CAs
[07:18:38] <nico> different or otherwsie
[07:19:07] <leifj> I think the issues are *really* different for the kdc and client case
[07:19:10] <nico> it could happen if it really becomes too difficult to solve the hash negotiation issues for TLS :)
[07:19:28] <nico> leif: yes, for clients it doesn't matter much
[07:20:07] <nico> worst case scenario we add an anonymous principal name and should the cert DN and/or subjectAltName and other extensions into AD-KDCIssued
[07:20:16] <nico> :) :) :)
[07:20:31] <leifj> yes - the world is devided into three cases: private client CA, private non-client CA and well-know CA - depending on how difficult it is to distribute anchors
[07:20:50] <leifj> but I should shut up now since I barely hear what you guys are saying anyways :-)
[07:21:31] <nico> :/
[07:21:43] --- fanf has joined
[07:22:24] <leifj> does anyone have the uri to the issue-tracker?
[07:22:43] <nico> not i
[07:26:52] <tlyu> i think the issue-tracker is rt.psg.com
[07:27:33] --- paulmdx has joined
[07:29:42] <leifj> thx
[07:32:50] --- Ken Raeburn has left: Replaced by new connection
[07:32:50] --- Ken Raeburn has joined
[07:43:29] --- fanf has left
[07:45:07] --- alexeymelnikov has joined
[07:46:05] --- paulmdx has left
[07:51:00] --- alexeymelnikov has left
[07:58:30] --- paulmdx has joined
[08:13:17] --- sts has left
[08:24:40] --- paulmdx has left
[08:27:37] --- nico has left
[08:27:43] --- nico has joined
[08:34:52] --- hartmans has left
[08:39:17] --- lha has left
[08:40:14] --- nico has left
[08:40:17] --- warlord has left
[08:41:43] --- Ken Raeburn has left: Disconnected
[08:41:56] --- ludomp has left
[08:42:51] --- Jeffrey Altman has left
[08:44:08] --- jhutz has left: Disconnected
[08:45:55] --- leifj has left
[08:48:36] --- tlyu has left: Disconnected
[09:02:55] --- shima has left
[09:02:55] --- shima has joined
[09:06:43] --- Ken Raeburn has joined
[09:24:13] --- sts has joined
[09:27:23] --- sts has left
[09:29:31] --- Ken Raeburn has left
[09:32:25] --- shima has left
[09:45:33] --- Jeffrey Altman has joined
[09:56:00] --- Jeffrey Altman has left