Kerberos Working Group - IETF 71 meeting Minutes Meeting: IETF71 at Marriott Philadelphia Downtown, Philadelphia, PA, USA Time: 1520-1720, TUESDAY, March 11, 2008 Location: Salon I (5th floor) Chairs: Jeffrey Hutzelman , Larry Zhu Scribe: Shawn Emery Audio: http://www.ietf.org/audio//ietf717.m3u Meeting Materials: https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=71 Preliminaries - Chairs (5 min) Document Status and last calls: * Set/Change PW draft-ietf-krb-wg-kerberos-set-passwd-07 Waiting for an update * GSS Agility draft-ietf-krb-wg-gss-cb-hash-agility-03 The shepherd (larry) recommended another last call for the updates that add an extension to protect the mechanism OID per IETF70 meeting consensus * Cross-Realm draft-ietf-krb-wg-cross-problem-statement-02 * PKINIT ECC draft-zhu-pkinit-ecc-04 No issues * Naming draft-ietf-krb-wg-naming-04 Need an update for an example asked by last call comments * Anonymous draft-ietf-krb-wg-anon-05 No issues * Data Model draft-ietf-krb-wg-kdc-model-01 Need more reviews, and Larry and Shawn signed up to review the document We reviewed the status of several documents that are working their way through the queue, and discussed several documents which have recently concluded IETF or Working Group Last Call. The set-change password document is waiting for an updated version which the author didn't quite get in before the meeting, and then it will go to Tim and the IESG. We reviewed the status of several documents that are working their way through the queue. The set-change password document is waiting for an updated version which the author didn't quite get in before the meeting, and then it will go to Tim and the IESG. The cross-realm problem statement document finished WG last call some time ago, and has been waiting for the chairs to finish their review and writeup. We also discussed several documents which have recently concluded IETF or Working Group Last Call. The PKINIT ECC document has received no notable comments in IETF LC, and hopefully will move along smoothly. There were some comments in a security directorate review of naming, which will be addressed in an upcoming revision. The data model document just finished WGLC. Leif will do some updates to reflect comments received. Sam Hartman reviewed recent updates to the Preauth Framework document, Gareth Richards went over some open issues related to the OTP document. There was discussion as to whether it was necessary to have a particular mandatory-to-implement OTP mechanism; the conclusion in the room seemed to be that it was not. Gareth also described an issue relating to the need to come up with OTP algorithm identifiers: apparently keyprov has the same problem, and a joint solution may be appropriate. The chairs would like to see the group consider possible directions and next steps now that the cross-realm problem statement document is done. This could include rechartering to pick up new work to address one or more of the problems described there. To that end, Kamada Ken'ichi gave a presentation on the Client-Friendly Cross Realm work he's been doing. We will continue to consider where to go next, and possibly have another presentation in Dublin. Interested parties should contact the chairs and/or bring up their proposals on the mailing list. There was a discussion relating to the intended status of the STARTTLS document. Before we send this document to the IESG, the chairs would like to see us come to conclusion on whether it should be Informational or Standards Track. Tim is investigating whether there is precedent for possible actions when the technical aspects of a document are complete and it is blocked only on intended status. At the open mic, Shoichi Sakane mentioned a proposal he is bringing to the dhc working group to create a DHCPv6 option for identifying a KDC. ACTION ITEMS: * Nicolas Williams - send an updated version of set-change password * Chairs - finish review and writeup of cross-realm problem statement * Larry Zhu - prepare an example for naming of how unintended access could be granted if authentication succeeds with an unsupported well-known name. * Chairs - ask folks commenting that the data model might be incomplete to come up with specific examples of things that are missing. * Larry Zhu, Shawn Emery, others - examine the data model with respect to their specific implementations. DECISIONS (to be validated): * The data model document should not cover operations. * OTP perhaps does not need a mandatory-to-implement mechanism