[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: Re: What happened to PKCROSS?
From: Nico Williams <nico () cryptonector ! com>
Date: 2014-10-24 16:54:55
Message-ID: CAK3OfOhArjbPZqv+7hwDpSUSxjW=YXo3=d=2TKWXNUnL1mq+vA () mail ! gmail ! com
[Download RAW message or body]
FYI, I just submitted draft-williams-kitten-krb5-pkcross-03.
It still needs some work, obviously (e.g., DANE RRset stapling). But
it's closer.
In particular I've added details on how a TGS can drive PKCROSS. It
turns out to be quite simple...
TODO:
- add a new KDC error code by which a KDC can indicate that it is
rejecting a foreign realm PKINIT request by a non-KDC client
- add a reference(s) for DANE stapling
- maybe remove all TOFU/LoF text (since it could go in a separate I-D)
- ...
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic