Ops feedback notes 2014-10-07
There were requests for notes from the in-person ops forum from September.
SHA-2 enctypes
There might be policy or regulatory reasons that sites will want to migrate away from SHA-1, even if the uses in symmetric Kerberos crypto are safe due to HMAC. There is a KITTEN WG draft (nearing completion) for Suite B enctypes in Kerberos, which uses SHA-2 hashes. Non-specialists often only hear "SHA-1 is bad" and lack background to understand why its use in Kerberos is safe.
Web auth
...to be transcribed...
Feature requests
Improvements to iprop (Richard Basch), e.g., notify-style protocol flow to decrease latency. There is some other interest in that as well. Setups exist where the master typically doesn't get ticket requests, so anything to decrease the propagation latency helps.
Reporting features (special query-friendly dump file format). Tom will outline some designs soon.
Policy updates through iprop. Already happens post-1.12 by forcing a full dump, but we can make it better.