What follows is a summary of the Kerberos WG meeting during IETF58, covering major decisions made during the meeting and specific work to be done in the next few months. This does not take place of the full meeting minutes (which are forthcoming), but is intended to help keep the working group membership apprised of what's happened during meetings, and to help insure that work we've agreed to do actually gets done. As usual, any decisions made during the meeting are subject to validation on this mailing list. Over the next few days, we will be making calls for comments in order to come to closure on several of these. -- Jeffrey T. Hutzelman (N3NHS) Co-chair, IETF Kerberos Working Group Carnegie Mellon University - Pittsburgh, PA Kerberos Working Group - IETF 58 meeting summary - Sam Hartman presented a proposal for a generic framework to describe preauthentication mechanisms and how they interact. It was agreed that this was valuable work, and should be adopted as a work item for the working group. - Brian Tung gave an overview of the status of the PKINIT draft. The current goal is to get the document ready for last call by March. All involved parties have agreed to a specific list of deadlines to make this happen, which will be sent separately to the list. - Russ told us that kerberos-clarifications is on the IESG telechat agenda for next week; after some discussion, he agreed to move it two weeks later to allow for some final modifications. Cliff will spin a new version in time for IESG review. - JK gave a presentation on referrals and client name canonicalization. It was previously agreed by the WG that these features would be included in the kerberos-extensions protocol, and that service name canonicalization would not. For now, this will be a separate document, to be merged later. - Jeff Altman gave a presentation on the internationalization proposal for kerberos-extensions. On the issues of whether to fold full-stop characters to gether and whether to permit use of Unicode private-use characters, we agreed to defer to the SASL WG, where the issues are the same as for Kerberos, in order to avoid arguing the issue twice. - GSSAPI-CFX Larry Zhu updated us on the status of the GSSAPI-CFX document. The only remaining open issue is whether new-style message tokens should use generic GSSAPI token framing. This has been discussed on the list for several weeks; a poll of the room favored _not_ including generic token framing on new per-message tokens. The chairs will make a call on the mailing list. - Set/Change Password Nico Williams gave an overview of the status of set/change password. One open issue is whether the new document should support UDP; a poll showed support for dropping UDP support. The chairs will report and validate this decision on the mailing list. A second open issue was whether to reuse the same message framing as the previous protocol. No agreement was reached during the meeting; this issue will be brought up on the mailing list. DECISIONS and ACTION ITEMS: * Added preauth framework as a WG work item. * Open string prep issues: full-stop folding, private-use characters Both deferred to SASL WG. * bcn: update kerberos-clarifications for Dec 4 IESG telechat * chairs: verify an issue for kerberos-clarifications related to accidentally making a field required that was optional in RFC1510 * various: PKINIT work (to be sent separately) * JK: updated referrals/canonicalization document * chairs: concensus call on generic framing in per-message GSSAPI tokens. * chairs: validate decision to drop UDP support in set/change pw * nico: bring up new/old framing issue on list