FYI, I just submitted draft-williams-kitten-krb5-pkcross-03. It still needs some work, obviously (e.g., DANE RRset stapling). But it's closer.
In particular I've added details on how a TGS can drive PKCROSS. It turns out to be quite simple... TODO: - add a new KDC error code by which a KDC can indicate that it is rejecting a foreign realm PKINIT request by a non-KDC client - add a reference(s) for DANE stapling - maybe remove all TOFU/LoF text (since it could go in a separate I-D) - ... Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
