[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue with the requirements document: PKIX-centric terminology

To: ietf-trust-anchor@xxxxxxxx
Subject: Re: Issue with the requirements document: PKIX-centric terminology
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Wed, 12 Sep 2007 08:58:11 -0400
Cc: weiler@xxxxxxxxxxx
In-reply-to: <46C2FE40.4040003@xxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-trust-anchor/mail-archive/>
List-id: <ietf-trust-anchor.vpnc.org>
List-unsubscribe: <mailto:ietf-trust-anchor-request@vpnc.org?body=unsubscribe>
References: <> <> <886F5D4C78AFB14D87261206BFB9612E1D31D34D@xxxxxxxxxxxxxxxxxxxxx> <> <> <46BCC0CC.2040805@xxxxxxxxx> <C1EDAC0E-3925-4B94-B054-D7804571801C@xxxxxxxxxx> <> <DBBD7A7F-08B5-4005-A68F-6A9690DC05C0@xxxxxxxxxx> <> <46C2FE40.4040003@xxxxxxxx>
Sender: owner-ietf-trust-anchor@xxxxxxxxxxxxx

I think that the protocol needs to be able to support X.509, OpenPGP,DNSSEC, and other protocol environments that make use of public keysfor validating digital signatures. That said, I strongly believethat the most urgent need is X.509, so that should be thepriority. From my reading of this mail list, no one is suggesting otherwise.

Jon Callas has described a situation where a trust anchor managementprotocol would be useful in Open PGP. He is one of the experts inthat protocol environment, so I do not need to build on his comments.

Steve Kent has reported that Mike St. Johns does not see a need for atrust anchor management protocol in the DNSSEC protocolenvironment. I hope Mike is right, but I fear that he is not. Thepolitics are the impediment to deployment of the DNSSEC stricthierarchy. As a result, alternatives to the strict hierarchy areemerging. For example, the IESG just approved the publication ofdraft-weiler-dnssec-dlv as an Informational RFC. There are maypossible ways that this protocol could be used. Personally, I hopethe existence of an alternative will help sort out the politicsaround the strict hierarchy, but if that does not happen there may bea need for a trust anchor management protocol in the DNSSEC environment.

Stephen Farrell has stated that there is very low overhead in addingsupport for trust anchors beyond the X.509 environment. He iscertainly correct, at least from the syntax perspective. CMS isprimarily used with X.509 certificates, but it also supports othercertificate formats. At one point, Some folks in the Open PGPcommunity were considering a document that would describe how to usePGP keys with CMS. I do not know the status of that effort, but ithas not yet reached IETF Last Call. My point in raising this exampleis that the syntax is very straightforward, but there may beimportant things to say about the semantics in each protocol environment.

I think the best way forward it to design a protocol syntax thatsupports all of these protocol environments. Flesh out the X.509environment semantics in the initial document, and then write otherdocuments to address the semantics of the other protocol environmentsas the need (and interest) emerges.


Russ

References:
- Issue with the requirements document: PKIX-centric terminology
  - From: Paul Hoffman
- Re: Issue with the requirements document: PKIX-centric terminology
  - From: Stephen Kent
- RE: Issue with the requirements document: PKIX-centric terminolog y
  - From: Carl Wallace
- RE: Issue with the requirements document: PKIX-centric terminology
  - From: Paul Hoffman
- RE: Issue with the requirements document: PKIX-centric terminology
  - From: Stephen Kent
- Re: Issue with the requirements document: PKIX-centric terminology
  - From: Stephen Farrell
- Re: Issue with the requirements document: PKIX-centric terminology
  - From: Jon Callas
- Re: Issue with the requirements document: PKIX-centric terminology
  - From: Stephen Kent
- Re: Issue with the requirements document: PKIX-centric terminology
  - From: Jon Callas
- Re: Issue with the requirements document: PKIX-centric terminology
  - From: Stephen Kent
- Re: Issue with the requirements document: PKIX-centric terminology
  - From: David A. Cooper

Prev by Date: RE: Multiple TAAs
Previous by thread: Re: Issue with the requirements document: PKIX-centric terminology
Next by thread: More specific examples (use-cases of TAM) -- RE: Issue with the requirements document: PKIX-centric terminology
Index(es):
- Date
- Thread