Update NEWS release notes for upcoming 8.0 release

NEWS

@@ -11,17 +11,37 @@ Bug fixes
  - iprop bugs, race conditions, and performance
  - Many misc. bugs
 
+Defaults changes:
+
+ - Default enctypes set to: aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192.
+ - 1DES now disabled by default in the build configuration.
+   Use `./configure --with-1des=yes` to re-enable 1DES.
+   (Use `--with-3des=no` to disable 3DES.)
+   (Use `--with-arcfour` to disable RC4.)
+
 Features:
 
+ - OpenSSL 3 support (hcrypto has been removed).
+ - OpenSSL 3 provider support, including propq (e.g., for enabling FIPS) and
+   PKCS#11 providers such as the Latchset provider
+   (https://github.com/latchset/pkcs11-provider).
+ - PKINIT: RFC 8636 (algorithm agility) implemented.
+ - PKINIT: ECDH w/ NIST and X curves implemented.
+ - PKINIT: Support for ECDSA and EdDSA implemented.
+ - PKINIT: RSA key transport is disabled by default
  - KDC: Add FAST support for TGS.
  - KDC: Greatly improved plugin facility for Samba.
  - KDC: Add httpkadmind service providing a subset of kadmin
         functionality over HTTP.
- - KDC: Add support for virtual service principal namespaces.
+ - KDC: Add support for virtual service principal namespaces, which rekey
+        service principals on a clock.
  - KDC: Add support for synthetic client principals that exist if the
         pre-authentication mechanism (e.g., PKINIT) can authenticate
         them, thus not requiring an HDB entry.
- - KDC: Add experimental GSS-API pre-authentication support.
+        Together with virtual service principal namespaces this allows for
+        realms with minimal, primarily read-only HDBs.
+ - KDC: Add experimental GSS-API pre-authentication support for Kerberos KDC
+        exchanges.
  - KDC: Revamp and enhance kx509 support (though bx509d mostly replaces kx509).
  - KDC: Better support for aliases and referrals.
  - KDC: Always return the salt in the PA-ETYPE-INFO[2].
@@ -29,14 +49,18 @@ Features:
  - KDC: allow anonymous AS requests with long-term keys.
  - KDC: Do not include PAC for anonymous AS requests.
  - KDC: Enable keepalive mode on incoming sockets.
- - KDC: Greatly improved logging.
+ - KDC: Greatly improved logging, with one structured log message per-request,
+        with all details as key/value pairs.
  - KDC: Remove KRB5SignedPath, to be replaced with PAC.
  - PKIX: Add bx509d -- an online certification authority (CA) with an HTTP API.
- - kadmin: Add HTTP-based kadmin protocol.
+ - PKIX: Add support elliptic curve signatures (ECDSA and EdDSA).
+ - PKIX: Add support for modern password-based encryption ciphers for PKCS#12.
+ - kadmind: Add httpkadmind, an HTTP-based kadmin protocol.
  - kadmin: Add add_alias, del_alias.
  - kadmin: Add command aliases to man page.
  - kadmin: Add disallow-client attribute.
- - kadmin: add --hdb / -H argument.
+ - kadmin: Improve -e enctype option support.
+ - kadmin: Add --hdb / -H argument.
  - kadmin: Allow enforcing password quality on admin password change.
  - kadmin: Improve ext_keytab usage.
  - kadmin: Selective pruning of historic key for principal.
@@ -53,12 +77,13 @@ Features:
  - krb5: Implement KRB5_TRACE environment variable.
  - krb5: Add experimental name canonicalization rules configuration.
  - krb5: Support start_realm ccconfig entry type.
- - kinit: Add --default-for option for ccache collection support.
+ - kinit: Add --default-for-principal option for ccache collection support.
  - kinit: Add --pk-anon-fast-armor option.
  - kinit: Don't leave dangling temporary ccaches.
  - klist: Better --json
  - iprop: Many performance and scaling enhancements.
  - iprop: Support hierarchical propagation.
+ - iprop: Support fast full props by using async writes during transfer.
  - ASN.1: Document fuzzing process.
  - ASN.1: Complete template backend.
  - ASN.1: Add partial Information Object System support (template backend
@@ -71,31 +96,40 @@ Features:
  - ASN.1: Support circular types.
  - ASN.1: Topographically sort declarations.
  - ASN.1: Proper support for IMPLICIT tags.
- - GSS: Import gss-token(1) command.
  - GSS: Add advanced credential store / load functionality.
+ - GSS: Add gss_acquire_cred_from() and credential store extensions.
  - GSS: Add name attributes support, with support for many basic attributes
         and PAC buffer accessors too.
  - GSS: Add SANON mechanism for anonymous-only key exchange using
-   elliptic curve Diffie-Hellman (ECDH) with Curve25519.
- - GSS: Add gss_acquire_cred_from() and credential store extensions.
+        elliptic curve Diffie-Hellman (ECDH) with Curve25519.
  - GSS: Support fragmented tokens reassembly (for SMB).
  - GSS: Support client keytab.
  - GSS: Add NegoEx support.
- - libhx509: Lots of improvements.
+ - GSS: Import gss-token(1) command.
+ - GSS: Improve gsstoool(1) command.
  - hxtool: Add "acert" (assert cert contents) command
  - hxtool: add cert type: https-negotiate-server
  - hxtool: add generate-key command
  - hxtool: Add OID symbol resolution and printing of OIDs known to hxtool.
  - hxtool: Add print --raw-json option that shows certificates in JSON, with
            all extensions and attributes known to Heimdal fully decoded.
- - hxtool: Improved SAN support.
- - hxtool: Improved CSR support.
+ - hxtool: Greatly improved SAN support.
+ - hxtool: Greatly improved CSR support.
+ - hxtool: Greatly improved manual page.
  - Improved plugin interfaces.
- - hcrypto: Add X25519.
- - hcrypto: Better RSA key generation.
- - hcrypto: import libtommath v1.2.0.
  - roken: Add secure_getenv() and issuid(), use them extensively.
 
+Features removed:
+
+ - NTLM support.
+ - "digest" server functionality in KDC (for NTLM).
+ - OTP.
+ - libhcrypto.
+
+Feature removal warnings:
+
+ - 1DES and RC4 may be remove in Heimdal 8.2
+
 Release Notes - Heimdal - Version Heimdal 7.8
 
  Bug fixes