RE: Does the problem need solving?

[Stephen Kent <kent@xxxxxxx>]

> > ...
>
> There is a large difference between "initialize the path validation 
> parameters" and "can initialize the path validation parameters". I 
> know of no popularly-used system that relies on PKIX certs that 
> allows any initialization of the path validation parameters. I 
> assume that you may know of one or two, but that does not negate 
> what I said above.

What you cite here is evidence of implementations that lack an 
important management interface component.  No disagreement on that. 
But that does not make  PKIX responsible for this missing component.

As an analogy I note that despite the fact the 4301 and 2401 included 
an explicit requirement for an SPD management capability, the most 
widely distributed IPsec implementation did not (and still may not) 
include that capability.  Surely you don't blame IPsec for that, do 
you :-)?

Steve