| Chair | Jeffrey Hutzelman | |
|---|---|---|
| Scribes | Nicolas Williams, Shawn Emery |
Introduction
Blue sheets were passed , the agenda was bashed, and generally a good time was had by all. Nicolas Williams agreed to scribe for the first session, and Shawn Emery for the second.
Remote Participation
Various people listened to the audio stream and/or participated via the Jabber chat room, which was displayed on a second screen to one side. Thanks to the IETF Secretariat and especially to Marcia Beaulieu and Amy Vezza for helping to make this continuing experiment possible.
New Chair
It was announced that sometime in the next few months, Larry Zhu will be appointed as a co-chair. The present chair welcomed Larry and looks forward to working with him as a valued member of the team.
PKINIT ECC (draft-zhu-pkinit-ecc-03.txt)
This document has completed WG last call and is ready to go to the IESG. However, it has been targeted as standards track during most of its life, but has a normative reference to RFC 3278, which is an informational document specifying how to use ECC with CMS.
The referenced document is informational because of IPR issues with ECC, and the working group needs to decide whether we want to publish ECC-for-PKINIT as informational, or attempt to place it on the standards track despite the IPR issues and normative downreference.
TCP Extensions (draft-ietf-krb-wg-tcp-expansion-01.txt)
This is now in IETF last call, which expires at the end of March.
Set/Change PW (draft-ietf-krb-wg-kerberos-set-passwd-06.txt)
This has completed WG last call, and is awaiting a PROTO writeup before it can be sent to the IESG. The version currently in the internet-drafts repository is corrupted; Nico will send a new one.
Naming (draft-ietf-krb-wg-naming-03.txt)
This is now in WG last call, which ends April 6, 2007.
Anonymous (draft-ietf-krb-wg-anon-03.txt)
This is nearly ready; WGLC will start sometime this month. Nico Williams, Shawn Emery, and Ken Raeburn agreed to review.
GSS Hash Agility (draft-ietf-krb-wg-gss-cb-hash-agility-01.txt)
Larry had raised an issue on the mailing list, which is that there is no way to tell whether the acceptor understood the new extension. Nico's response is that this is OK, because as it stands today, there is already no way for the initiator to determine whether the channel bindings were verified.
Larry proposed that context token extensions carry an indication of criticality. Others objected, pointing out that there is no way to ensure that a critical extension would be rejected by an acceptor that does not support extensions at all. Martin Rex commented that critical flags had been heavily abused in other protocols, and that they are contrary to the philosophy of the GSS-API. The chair cut off discussion, noting that while defining the format of extensions was necessary, adding additional features to RFC4121 is not in scope for this document.
WGLC will start sometime in April. Tobias Gondrom (tgondrom@opentext.com) has agreed to review it.
PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility-02.txt)
This is nearly ready, but needs review. WGLC will start sometime in April. Shawn Emery and Stefan Santesson have agreed to review it.
Referrals (draft-ietf-krb-wg-kerberos-referrals-09.txt)
Version 09 was submitted before the meeting; due to time constraints, some changes were not folded in by the deadline. There are several outstanding substantive issues; Ken gave a brief summary of each and will bring them up on the mailing list for discussion.
Extensions (draft-ietf-krb-wg-rfc1510ter-04.txt)
Version 04 was submitted before the meeting; due to time constraints, there are still some changes outstanding. Tom will fold in the remaining changes, post a new version, and develop intermediate milestones for making the document ready for last call.
IAKERB (draft-zhu-ws-kerb-01.txt)
Larry Zhu has brought us a proposal similar to the old IAKERB protocol, but with a somewhat different application in mind. There was some discussion as to whether it might be good to merge IAKERB and PKU2U (draft-zhu-pku2u-01.txt). The chair indicated that PKU2U alone is not really within the current scope of this working group [Note however that we are discussing a charter update --jhutz], but that a combined document might be. It was suggested that we first decide whether to work on IAKERB, and if so, then we might consider whether to merge PKU2U into IAKERB.
There were some participants in favor of adopting this item, and none against. However, there were also several who indicated they'd like more information before deciding, so the question was deferred to the mailing list.
Data Model and Admin Protocol (draft-johansson-kerberos-model-02.txt)
There was some discussion of Leif Johansson's Kerberos data model document, and quite a bit of discussion of whether to include a work item to complete the data model document and develop an LDAP schema for Kerberos administration. It was generally agreed that the latter was the real issue -- if we were to pick up the LDAP schema work, we'd want to start by polishing and publishing the data model; if not, then Leif will proceed with the data model as an individual submission.
There was some contention over whether this working group should adopt the LDAP schema work. The chair indicated he has heard of several people (not present at the WG meeting) who were interested in pursuing such work, in the IETF or otherwise. Some people in the room supported doing such work, but some, particularly Larry Zhu, felt that the various implementation-dependent admin protocols currently in use were adequate. A number of people expressed the concern that it might be to late to effectively standardize an admin protocol. None of the implementors present were willing to speculate on whether they might implement such a protocol.
Time ran out in the first meeting session with no sign of nearing a consensus on whether to include this item. Therefore, the discussion was deferred to the mailing list.
Cross-Realm Problem Statement (draft-sakane-krb-cross-problem-statement-01.txt)
Shoichi Sakane gave a brief presentation on his cross-realm problem statement draft, briefly touching on the issues covered by the draft and giving an overview of current and previous documents aimed at solving one or more of them.
The overwhelming consensus of those present in the room was that this work should be included in the charter proposal.
Preauthentication Framework / FAST / STARTTLS (draft-ietf-krb-wg-preauth-framework-05.txt, draft-josefsson-kerberos5-starttls-02.txt)
Sam gave a short presentation describing the preauth framework proposal and FAST, which is an approach to simplifying design and analysis of preauth mechanisms by establishing a secure tunnel to carry them. The document also describes some additional features (client name hiding and allowing the KDC to follow referrals) which could be moved into separate documents. Sam indicated he felt that without FAST, the preauth framework would probably be overkill.
Simon Josefsson was not present at the meeting, but the chair gave a brief description of the STARTTLS proposal, which Simon had previously presented. There was some discussion related to the relationships and potential interactions between STARTTLS, TLS-GSS, and IAKERB.
There was then considerable discussion of the relative benefits of FAST and STARTTLS. Much of this was based on the premise that they are competing proposals, but the conclusion was reached that we weren't sure whether that was true. There was strong support within the room to adopt at least one of these, but it was felt that more information was needed before a decision could be reached. Nicolas Williams volunteered to put together a comparison of STARTTLS and FAST which could be used in helping to make that decision.
Preauthentication Mechanisms (draft-ietf-krb-wg-hw-auth-04.txt, draft-richards-otp-kerberos-01.txt)
Only a few people had read these documents or had an opinion as to whether they should be included in our charter. Sam expressed a strong opinion that it was crucial to have some form of support for one-time passwords. There was a fair amount of support in the room for including a charter item for OTP support. Discussion of the hardware preauth document was deferred to the mailing list.