[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue with the requirements document: PKIX-centric terminology




Steve,

First, I don't play cards, so I have none to put on the table :-).

I started contributing to this list on the assumption that we might need a TAM protocol that is broader than the X.509 context, and thus a new WG was appropriate. We have never pursed development of a protocol like this in PKIX because nobody stepped forward to propose such work. If they had, and if there were sufficient interest, we would have pursued it in PKIX.

I also am familiar with projects that have developed this sort of capability in the past; the resulting protocol was focused only on X.509 certs and raw keys. Those efforts had a fairly clear idea of their requirements, though getting agreement on them was very tough, even in a much narrower context.

What I have seen so far on the list is just what I stated in a previous message: two or more constituencies, each with a different notion of what TAM means. There seems to be some desire to create a new WG to see if it can develop a protocol that will accommodate these possibly divergent goals. Personally I am not in favor of chartering such WGs, because they also can drag on without progress as the different constituencies continue to wrangle over what the problem is.

Let me give an example. You have argued that we ought not spend more time trying to nail down a more precise definition of a TA, but rather move on to other topics for the charter. I worry that the difficulty we see in agreeing on a definition for TA is indicative of the problem I noted above. If folks have different ideas of what a TA is, then maybe they can agree on fuzzy language for what a TAM protocol should do, given the ambiguity created by a lack of a precise TA definition. One might be able to charter a WG this way, because each constituency reads the fuzzy words in the charter differently, and is convinced that their goals can be addressed by the WG. Only later do the conflicting views become apparent and stymie progress. I don't agree with this approach to creating a WG (even a short-lived one of the sort you favor), in any area.

In my opinion, the repeated references to the need to define tags to accommodate different types of certs (as well as raw keys) suggests that folks either have very modest goals for this effort, of they have not focused on what several of us have discussed as the harder problems, e.g., defining a policy language to express TAA constraints, accommodating multiple TAAs for a single device, describing how the semantics extent in certs like X.509 will be accommodated by a protocol that purports to be cert-type independent, etc.

Folks who have communicated with me off list have more clearly articulated notions of what they want in TAM, but they have focused exclusively on the X.509 context. If the TAM list doesn't manage to develop consensus on its goals and definitions, then yes, I would suggest to the folks with whom I've spoken that hey come to PKIX and ask that WG to adopt a work item that does address their needs.

Hope this answers you question.

Steve