Kerberos Working Group (KRB-WG) Minutes Meeting : IETF 80, Hilton Prague, Prague, Czech Republic Time : 1300-1500, TUESDAY, March 29, 2011 Location: Barcelona/Berlin Chairs : Jeffrey Hutzelman Larry Zhu Scribe : Leif Johansson - jhutz launches meeting with co-chair Sam Hartman with note-well etc. - jhutz intro to wg list and pages, meeting remote participation etc. - agenda bashing tlyu: we need to talk about number assignement policy - doc status sam: an open issue in anonymous (rfc-to-be 6112). Propose a forward-compatible fix for unclear spec and misimplementation in currently deployed code. No comments against the proposed change. AD approval needed (Sean Turner is AD in situ for this session). AD say they will work on coordinating this change. otp preauth discussion with Simon Josefsson. Sam tries to summarize the discussion on the list resulting in changes to the document. Simon summarizes: otp and password should be able to validate separately, challenges need to be > 8 chars all of these changes were fixed. Sam: changes were constrained enough not to need a new WGLC. Shawn E talks about the gss hash-agility draft, jhutz polled the room for implemntors and their plans for gss hash agility. Shawn notes he needs to do a minor change and then the docs is ready for WGLC Sam talks about pkinig alg agility and the need to correct some test vectors before going to WGLC. Sam considers adding another editor to lha's die-die-die draft so final updates can go in and it can go to WGLC. - technical discussion Referrals How to update referrals? Sam describes a proposal fromthe last Interop by Larry Zhu. Sam has updated the draft to reflect this proposal which does not protect against all attacks though (listen to audio for details). No comments on the list on his proposals. Minor issues left to change: - fill an XXX in the draft (obvious how) - clarify bit about how u2u makes ad login alias more complicated propose to remove and WGLC-force review - appendix A describes win2k behaviour which is very hard to understand. propose to rip it out unless MSFT clarifies the text. Sam begs for reviw on this document. It is implemented and ships today! Josh asks for a repeat of the high-level overview of the problem Sam just described. Sam provides it. General PAC draft Thomas H: waiting for comments and review. Sam summarizes the drafts in outline. The documnt is draft-sorce-krbwg-general-pac-01.txt . Chairs asks for hum in favor of adopting the draft as a WG document. The hum is clearly in favor of doing so. Number Assignement Policy (IANA registries) Sam provides overview of the issues specifically the need for requiring an open spec for registrations. Sam describes consensus form Beijing: for certain types of registrations IETF review and for others use expert review only. jhuts lists the type of protocol enums that should be handled by the kerberos registry. Chairs asks for discussion. Tlyu sais he agrees with lha's idea about FCFS for a range of numbers. jhutz: "we should make it as easy as possible to extend the protocol in the intended ways but harder for people to misuse the extensibility." Sam: FCFS range doesn't make sense at all, the whole thing should be FCFS or not. jhuts: disagrees: lower range numbers take less space to encode. Sam: I don't buy it. Sam: specs should always be available. More discussion ensues. The chairs conclude that there isn't enough opinions in the room. Sam will forumlate a set of questions to the list. - should ticket ext and pa data the same animal? - is fcfc + expert reiview + ietf review enough options? Sam: its a pity "no assignement" isn't an available option. Sean: metacomment on the fact that thinking about these things is a very good idea and helps for the future. Charter Discussion Draft charter sent to list. Comments referrs to version 01 of the new charter proposal. jhutz summarizes the charter. - finish existing work - internationalization. Sam proposes relazing the backwards-compat requirements. Proposed text in email: Prepare and advance one or more standards-track specifications which update the Kerberos version 5 protocol to support non-ASCII principal and realm names, salt strings, and passwords, and localized error reporting. Maximizing backward compatibility is strongly desired. simon comments: localized error reporting is separate. jhutz: yes you have a document for this and this includes your document in scope. simon: localized error reporting can be done fully backwards compatibly. There was not objection raised in the room for this change. - Discussion on narrowing the "enable future revisions and extensions" bullet to explicitly talk about ticket extensions. Hum in room indicates that we should narrow this to cover only ticket extensions. - Jhutz: milestones will not be discussed in the session but between the authors and the chairs. - Discuss the "new cryptographic algorithms" bullet point. This sais that it is within the scope of the group to work on new enctypes wo rechartering. This does not mean that work on every new enctype *must* happen in krb-wg. tlyu: you appears to have dropped my text! jhutz sorry, fix by including tlyu's qualifications from the list. Thomas H: will you just past tlyu's text from the email? jhutz: no, there was merging with text from Thomas H. - Discuss the "extensibility for AD-types" bullet. Sam asks jhuts to make sure the scope of the bullet includes the generic-PAC/PAD doc. Hum indicates weak but still support for doing this. - Discuss the need to scope-in review of new ticket extensions. leifj, jhutz: we can always re-charter. jhutz: what is missing from this charter? What is not covered? leifj: drop LDAP schema. jhutz: take this question to the list and if not support, drop it. Thomas H: we get interest in LDAP-as-backend from time to time.