[08:46:14] --- hartmans has joined
[08:51:35] --- tlyu has joined
[08:58:36] <hartmans> We're getting started; seem to be needing a scribe
[08:59:38] --- warlord has joined
[08:59:50] <warlord> agenda bashing...
[09:00:07] <warlord> (jhutz describes agenda)
[09:01:27] <warlord> anyone from Microsoft?
[09:01:35] --- hartmans has left: Disconnected
[09:01:44] <warlord> charlie responds "yes, but I have no clue about anything going on"
[09:02:00] --- hartmans has joined
[09:02:04] <warlord> talk about krb-extensions, gssapi-cfx, and set/change password
[09:03:38] --- lha has joined
[09:03:42] <warlord> talk about the milestones.
[09:04:18] <warlord> clarifications, kcrypto, aes is done
[09:04:55] <hartmans> Not quite done; crypto is probably done, clarifications needs authors to respond to comments
[09:05:26] <warlord> Well, the milestone of submitting to IESG is done
[09:06:51] <warlord> extension draft by Thanksgiving..
[09:07:01] <warlord> work on PKINIT.. Submit by January. Last call/submit in March.
[09:07:15] <warlord> set/change pw in April. Is that realistic?
[09:07:19] <warlord> "yes"
[09:10:18] <warlord> PKCROSS?
[09:10:21] <warlord> No estimate..
[09:10:26] <warlord> "after the summer"?
[09:12:24] <warlord> Next item -- "SAM"
[09:12:24] --- hartmans has left: Lost connection
[09:12:43] <warlord> "Pre-Auth Framework"
[09:13:39] <warlord> no way to describe how multiple pre-auth mechs interact
[09:14:25] <warlord> re-invent "encrypted timestamp"
[09:14:42] <warlord> if we're going to reinvent, at least reinvent something good.
[09:16:14] <warlord> offered to take over extra TGT...
[09:16:22] <warlord> it embeds encrypted timestamp!
[09:18:09] <warlord> User in collusion with spoofed KDC can generate a real-looking KDC response.
[09:21:01] <warlord> attempt to create a framework for reusable components
[09:21:28] <warlord> let's not use encrypted ts everywhere
[09:23:07] <warlord> make the framework (fw) implementable
[09:24:10] --- raeburn has joined
[09:26:20] <warlord> pre-auth phases..
[09:27:39] <warlord> What are the pre-auth facilities?
[09:27:43] <warlord> 1) client-authentication
[09:27:53] <warlord> 2) key replacement/strengthening
[09:27:59] <warlord> 3) verification of responses
[09:33:09] <warlord> People in the audience seem to like this.
[09:33:36] <warlord> Is state kept by the KDC?
[09:33:50] --- LOGGING STARTED
[09:34:22] --- warlord has joined
[09:34:22] --- warlord has left: Logged out
[09:34:27] --- warlord has joined
[09:34:33] <warlord> test
[09:34:47] --- LOGGING STARTED
[09:36:00] --- warlord has joined
[09:36:00] --- warlord has left: Logged out
[09:36:05] --- warlord has joined
[09:36:11] <warlord> show of hands..
[09:36:22] <warlord> unanimous support
[09:37:16] <warlord> Now, Brian will talk about PKINIT
[09:38:38] --- lha has joined
[09:40:12] --- hartmans has joined
[09:41:54] <warlord> two more drafts...
[09:42:41] <warlord> met with cablelabs people yesterday..
[09:43:06] <hartmans> Lots of due items between now and January.
[09:43:40] --- raeburn has joined
[09:43:40] <warlord> Is anyone in this chatroom NOT sitting in the meeting room?
[09:44:26] <warlord> sam speaking..
[09:44:40] <warlord> get some minor changes to PKINIT to:
[09:44:44] <warlord> 1) be our anon-DH mech
[09:44:47] <warlord> 2) sign KDC replies
[09:44:59] <warlord> anon-dh wants an extra round-trip
[09:48:07] <warlord> love...
[09:48:16] --- tlyu has joined
[09:48:32] <warlord> after integrating pkinit for heimdal -- I dislike how the spec pulls in cms and x.509 into the draft
[09:48:49] <warlord> including it requires impl asn.1 construct any
[09:48:54] <warlord> or 509 parser completely
[09:49:08] <warlord> or convert x05 object from internal to parser
[09:49:12] <warlord> might not be the same
[09:49:31] <warlord> would like the 509 to be encapsulated.. in a "string" instead.
[09:49:43] <warlord> sam : in principle I agree..
[09:49:50] <warlord> make it harder for people
[09:49:55] <warlord> may be too big a change.
[09:50:03] <warlord> cablelabs will probably object
[09:50:11] <warlord> can we afford that big a compatibility break
[09:50:21] <warlord> "we're changing the preauth anyway"
[09:50:26] <warlord> but thats a minor change.
[09:50:28] --- hartmans has left: Disconnected
[09:50:50] <warlord> jhutz: they already know they are having a deployment problem.
[09:51:08] <warlord> in boulder it was made very clear they would be very unhappy with changes that would require a major implementation change.
[09:51:25] <warlord> "not make changes that we not necessary"
[09:51:47] <warlord> jhutz: you might want to bring it up on the mailing list. the chief objector isn't here.
[09:52:16] <warlord> yes, it would be wire-protocol change
[09:52:25] <warlord> sam: they consider major changes to include..
[09:52:33] <warlord> they were uncomfortable with an OID change.
[09:53:17] <warlord> Next... Extensions.
[09:54:06] <warlord> clarifications: in IESG consideration.
[09:54:11] <warlord> minor changes need to be made.
[09:56:21] <warlord> we believe all the changes are editorial
[09:56:34] <warlord> clarifications is on the iesg agenda for 1 week from thursday
[09:58:55] <warlord> extension status
[09:59:12] <warlord> list-of-issues identified at the interim meeting...
[10:01:48] <warlord> JK.. name referrals and canonicalization
[10:02:25] --- hartmans has joined
[10:03:05] <warlord> schedule: refresh draft and publish in december.
[10:03:23] <hartmans> New ereferals draft published by someone in Microsoft in December
[10:04:25] <warlord> KDC issues referrals. CLient chases them.
[10:04:41] <warlord> AS referral: client uses KRB_NT_ENTERPRISE
[10:06:59] <warlord> TGS Referral -- returns a TGS-REP
[10:07:57] <warlord> Does canonicalization need to be tied to referrals?
[10:08:47] <warlord> how do we move forward?
[10:08:58] <warlord> sam: that's what we decided at the first interim meeting..
[10:09:03] <warlord> that decision was based on convenience.
[10:10:01] <warlord> nico: are we talking about 1510 or extensions
[10:10:04] <warlord> extensions
[10:11:27] <warlord> move forward? yes.
[10:11:33] <warlord> roll into the main document? some
[10:11:47] <warlord> separate doc? similarly small, somewhat larger # of hands
[10:13:24] <warlord> allocation of flags from a limited namespace?
[10:14:13] <warlord> sam: let us see the draft and decide later.
[10:14:29] <warlord> re-raise the question on the ml
[10:15:23] <warlord> should canon/refer be separated into two drafts?
[10:15:49] <warlord> is this server name canonicalization?
[10:15:51] <warlord> no..
[10:16:04] --- hartmans has left: Disconnected
[10:17:02] <warlord> raeburn: case is "what happens with one org having an alias for a machine in another"?
[10:17:17] <warlord> and use that name in auth
[10:17:25] <warlord> gnucftp.example.com -> ftp.gnu.org
[10:17:50] <warlord> must be able to tell the client: not only does it need to tell the client to go to gnu.org, but also ask for a different client name.
[10:19:48] <warlord> sam: we had closure on this -- why are we reopening it?
[10:25:58] <warlord> sam: if a client implements referrals/canonicalization, it needs to implement ALL of it.
[10:26:54] <warlord> separate it out. AS vs. TGS
[10:27:02] <warlord> same or separate docs?
[10:27:21] <warlord> clearly people want it together.
[10:27:49] <warlord> talk about canon only as it talks about referrals?
[10:29:37] <raeburn> (sigh) I think we should just figure out the "gnuftp" solution, and *then* see how things can be broken down...
[10:31:08] <warlord> looks like just one document...
[10:32:33] <warlord> jaltman: we're going to get rid of all forms of ASCII
[10:32:47] --- hartmans has joined
[10:32:55] <warlord> (actually, he's going to talk about internationalization)
[10:33:33] <warlord> - use unicode
[10:33:44] <warlord> - single stringprep rules
[10:33:57] <warlord> - do not restrict kerberos strings to a subset of IDNA
[10:34:10] <warlord> but support IDN components and IDN-based realms
[10:34:17] <warlord> s/but/must
[10:36:14] <warlord> extensions: kerberosstring -> choice of generalstring or utfstring
[10:38:41] <hartmans> O, I just thought of something horrible: interationalization implications of old ticket with new ticket encpart
[10:38:54] <hartmans> (This happens with an old client and new server)
[10:40:42] <warlord> let stringprep happen in SASL WG
[10:40:57] <warlord> doesn't specify how or where they are applied.
[10:41:06] <lha> hmmm, how does i18n interrop with u2u ?
[10:41:14] <warlord> storage/query/display
[10:41:42] <warlord> lha: are you in minn? If not, I can relay your question.
[10:42:06] <hartmans> lha: Tom has an action item to deal with u2u
[10:42:15] <hartmans> The short answer is that we're not sure it works yet
[10:43:07] <lha> ok, thanks, I will bring it up
[10:43:37] <hartmans> OK, but none of the document authors or jaltman can say anything intelligent about it.
[10:45:02] <lha> ms uses u2u (gss), so I guess they should care a little bit
[10:45:23] <hartmans> We care too; we just have been too busy to work through u2u and see if we're screwed.
[10:45:39] <hartmans> no one on the Microsoft Kerberos team is yet up to speed on i18n
[10:46:15] <hartmans> (They were at the meeting Monday, and brought an i18n person not on Kerberos)
[10:46:33] <warlord> IDNA v. Kerberos
[10:49:45] <warlord> hostbased service principals
[10:54:06] <tlyu> i thought we had consensus to not address the just-send-8 problem...
[10:54:38] <hartmans> We need to make sure it is possible to implement just send 8 + extensions in the same product
[10:54:47] <hartmans> Telling people how to do so it out of scope.
[11:03:19] <hartmans> Discussing whether we should defer to saslprep
[11:04:04] <warlord> many vs. one for whether to defer to SASL
[11:06:31] <warlord> kurt should keep us apprised of updates to the doc in SASL
[11:08:29] <warlord> now, Larry Zhu on GSSAPI-CFX
[11:17:11] <warlord> poll about generic token framing format
[11:19:11] <warlord> now Nico..
[11:19:43] <warlord> (it seems kind of silly to be scribing in here when everyone in the chatroom is in the phys-room)
[11:20:24] <raeburn> might help augment the notes/minutes, a little...
[11:20:43] <warlord> True.
[11:20:49] <warlord> Nico talking about Set/Change pw
[11:24:14] <raeburn> kdc-info "gang" is planning to meet after krb-wg, as of latest email i've seen
[11:25:51] <warlord> udp or tcp?
[11:26:41] <warlord> concensus seems to be to drop UDP
[11:26:51] <warlord> Still use 464?
[11:31:31] <warlord> russ: make sure there is a version number in the framing so you dont need to make this change again
[11:33:05] --- hartmans has left
[11:34:10] --- raeburn has left: Disconnected
[11:42:22] --- tlyu has left: Disconnected
[11:50:23] --- warlord has left: Disconnected
[13:06:07] --- warlord has joined
[13:06:22] --- warlord has left
[13:20:27] --- lha has left: Disconnected
[15:44:25] --- LOGGING STARTED
[20:25:18] --- LOGGING STARTED
[20:49:35] --- LOGGING STARTED
[23:39:57] --- LOGGING STARTED