What happened to PKCROSS?

[Nico Williams]

BTW, DANE stapling is not that hard.  I have been pointed at AGL's
code for it.  The RP side doesn't need a DNSSEC resolver to implement
it because all the records are stapled, and the RP doesn't need to
implement non-existence checking and so on -- just validate the
signature chain to the RP's DNSSEC root and check "name constraints".

Producing the stapled data is not hard either.  There's a Python
script that uses dig(1) that supports this.  It needs to learn to be a
daemon that wakes before the shortest TTL passes to refresh the chain.

Stapling should result in fewer external dependencies for the Kerberos
libraries, so that's a big win.

Nico
--