What happened to PKCROSS?

[Nico Williams]

FYI, I just submitted draft-williams-kitten-krb5-pkcross-03.

It still needs some work, obviously (e.g., DANE RRset stapling).  But
it's closer.

In particular I've added details on how a TGS can drive PKCROSS.  It
turns out to be quite simple...

TODO:

 - add a new KDC error code by which a KDC can indicate that it is
rejecting a foreign realm PKINIT request by a non-KDC client

 - add a reference(s) for DANE stapling

 - maybe remove all TOFU/LoF text (since it could go in a separate I-D)

 - ...

Nico
--