Comments on Kerberos Token Profile 1.1 draft 07

[Nicolas Williams <Nicolas.Williams@Sun.COM>]

I remember complaining about the choice of raw Kerberos instead of the
GSS-API mechanism.

The TC seems to have responded by adding a plethora of choices.

I don't see how this helps implementors.

I'm also still very curious as to how Kerberos V session keys are used
or how AP-REQ and/or GSS initial context tokens are bound to session
protection provided by other layers.

Please cc me as I'm not on the list.

Also, I'd appreciate a pointer to the complete set of OASIS documents
(i.e., not including W3C or IETF docs) one must read in order to perform
a security analysis of this profile.

Thanks,

Nico
--