Kerberos Working Group - IETF 60 meeting summary

- The chairs gave an update of the status of documents which have
  been sent to the IESG:
  + The kcrypto document is in the RFC Editor queue.  The room agreed to
    adopt Sam's PRF change, which will be applied in author's 48hrs.
  + The GSSAPI-CFX document is in the RFC-Editor queue
  + The AES document is in the IESG's hands.  The author belives
    all issues have been addressed, but the AD's haven't decided yet.
  + Kerberos clarifications needs another rev to incorporate changes
    to resolve remaining IESG issues; we will also RECOMMEND AES128.

- The group reviewed working group priorities and milestones.

- Brian Tung gave an update on the status of PKINIT, and led a discussion
  covering the major open issues.  Issues covered included:
  + OCSP
  + DH key derivation
  + DER vs BER
  + Wrapping CMS objects in IMPLICIT OCTET-STRING
  + REQUIRED/RECOMMENDED DH groups
  + Including the root CA in the certificate chain

- Sam Hartman gave an update on the preauth framework

- Lief Johansson gave an update on the information model.
  He would like this to become a WG work item.

- Nico Williams gave an update on Set/Change Password

- Larry Zhu gave an update on referrals

- Doug Engert made a quick presentation on a number of issues
  resulting from the wide success of Kerberos.

- Tom Yu was scheduled to give an update on kerberos-extensions,
  but we ran out of time in the session.  Tom's slides will be
  included in the proceedings.


DECISIONS (to be validated on the list):
  * Adopt Sam's proposed change to the PRF change in kcrypto;
    the editor will make the change during author's 48hrs.
  * Adopt AES128 as RECOMMENDED enctype per Nico's request;
    the editor will make this change in kerberos-clarifications-21
  * OCSP tunneling will remain as a separate document, not folded
    into PKINIT.  This will be a WG work item and Larry will submit
    the draft with an ietf-krb-wg filename.
  * Adopt Sam/Larry's DH key derivation proposal, with specific
    wire format to be resolved on the list.
  * CMS objects in PKINIT to be wrapped in IMPLICIT OCTET-STRING
  * PKINIT PDU's (not CMS objects) MUST be encoded in DER
  * Cert chains MUST NOT include the root CA cert
  * The kerberos-extensions document will use Tom's new structure
  * set-change-password will include encoding hints

ACTION ITEMS:
  * raeburn: incorporate PRF change into kcrypto, pending WG approval
  * bcn: incorporate link-local comments into kerberos-clarifications
  * bcn: incorporate AES128 RECOMMENDED into kerberos-clarifications
  * bcn: submit kerberos-clarifications-21
  * deengert: submit milestone updates
  * brian: resolve PKINIT editorial issues and apply WG decisions
  * Larry Zhu: submit OCSP tunneling document
  * tlyu: get kerberos-extensions ready for discussion
  * WG: determine whether PKINIT rejections must be able to receive
    CMS objects which are not DER-encoded.
  * WG: determine which DH groups to REQUIRE/RECOMMEND