[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Draft Charter

To: "Frank Siebenlist" <franks@xxxxxxxxxxx>
Subject: RE: Draft Charter
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Tue, 21 Aug 2007 04:31:14 -0700
Cc: <ietf-trust-anchor@xxxxxxxx>
In-reply-to: <46CA7A99.8010103@xxxxxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-trust-anchor/mail-archive/>
List-id: <ietf-trust-anchor.vpnc.org>
List-unsubscribe: <mailto:ietf-trust-anchor-request@vpnc.org?body=unsubscribe>
References: <886F5D4C78AFB14D87261206BFB9612E1D31D6DF@xxxxxxxxxxxxxxxxxxxxx> <> <46CA355A.6040704@xxxxxxxxxxx> <> <> <46CA7A99.8010103@xxxxxxxxxxx>
Sender: owner-ietf-trust-anchor@xxxxxxxxxxxxx
Thread-index: AcfjuOSa8DlUkOL7Tme0cYhlM8TNfQALy24g
Thread-topic: Draft Charter

Frank,

I agree with Steve.  I will be willing to expand the notion a bit.  But,
in my thinking this deals with cryptographic protocols.  These protocols
require a public or secret key to establish the trust for authentication
and integrity checks.  Thus, it must be a key.  As it so happens, we
have been dealing with PKI related matters and hence the starting key
for authentication and integrity is a public key.

In short, any idea for trust anchor that does not deal with a crypto key
is a loser from crypto viewpoint.

-----Original Message-----
From: owner-ietf-trust-anchor@xxxxxxxxxxxxx
[mailto:owner-ietf-trust-anchor@xxxxxxxxxxxxx] On Behalf Of Frank
Siebenlist
Sent: Tuesday, August 21, 2007 1:40 AM
To: Paul Hoffman
Cc: Stephen Kent; Carl Wallace; ietf-trust-anchor@xxxxxxxx
Subject: Re: Draft Charter

Too bad as in general the overall policy enforcement requires other
"trust anchors", "roots of trust", "assertion authorities", to be
pre-configured, like attribute- and authorization authorities.

Furthermore, it also would disallow the use of other authentication and
key exchange mechanism to bootstrap from, like
secure-password/shared-secret protocols with online CAs, in which case
there would be no need for any trust-anchor's public key and no digital
signature.

Just to support x509/pkix style identity certs based on only public keys
and only dsigs makes it just as "useful" as x509/pkix... maybe this
trust-anchor protocol shouldn't deserve its own wg and should instead be
used to "revive" pkix as it clearly deals with a deficiency not
addressed in pkix's gazillion rfcs ;-)

-FS.

Paul Hoffman wrote:
> At 9:26 PM -0400 8/20/07, Stephen Kent wrote:
>> The notion of trust anchors has been, for the last 15 years or so, a
>> purely public key notion.  So yes, I would argue that if we want to
>> work on what it going to be called a trust anchor management
protocol,
>> it needs to be based on public keys and signature validation.  If
>> folks want to do something else, make up a new name, this one is
taken
>> :-).
> 
> I agree with Steve. Everyone involved so far has been talking about
> public keys, which if nothing else shows that this is the common
theme.
> 
> --Paul Hoffman, Director
> --VPN Consortium
> 

-- 
Frank Siebenlist               franks@xxxxxxxxxxx
The Globus Alliance - Argonne National Laboratory

Follow-Ups:
- Re: Draft Charter
  - From: Frank Siebenlist

References:
- RE: Draft Charter
  - From: Carl Wallace
- RE: Draft Charter
  - From: Stephen Kent
- Re: Draft Charter
  - From: Frank Siebenlist
- Re: Draft Charter
  - From: Stephen Kent
- Re: Draft Charter
  - From: Paul Hoffman
- Re: Draft Charter
  - From: Frank Siebenlist

Prev by Date: Re: Draft Charter
Next by Date: Re: Draft Charter
Previous by thread: Re: Draft Charter
Next by thread: Re: Draft Charter
Index(es):
- Date
- Thread