I hate to be raising last call issues with my own document but such is life. 1) Jim Schaad reports that our ASN.1 module is missing an import statement. 2) Shortly after Jeff submitted the publication request, Tom Yu found some problems with the assigned numbers in the IANA pre-authentication registry that is being created. In response to his last round of comments back in April we moved some things around and apparently left some conflicts in place. The above two are relatively easy to fix. 3) We discovered that the description of ad-authentication-strength at the bottom of page 36 is incorrect. It says that ad-authentication-strength needs to be included in ad-if-relevant. The problem with that is that a client could generate a fake ad-authentication-strength element unless it is integrity protected by the KDC. So, ad-authentication-strength really needs to be included in ad-kdc-issued. In this case, the KDC provides integrity protection for the element, preventing a client from including its own claim about authentication strength. (This is roughly the difference between signed and unsigned attributes in CMS). I need to figure out whether ad-kdc-issued is inherently non-critical or if you need ad-kdc-issued plus ad-if-relevant (and if so, what the order should be) to get a non-critical integrity-protected authorization data element. This change should not be a problem; as far as I'm aware none of the implementations currently include an ad-authentication-strength element. Sorry that the above point is coming out so late. We discovered this when looking at a bug in another protocol and were concerned that we might have something we needed to treat as a product security problem. As it turns out that issue is non-sensitive and I'll be describing it in a separate message to the working group list. I request permission from the chairs and Tim to upload a new draft fixing these three issues once I confirm a resolution for #3 above. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf