[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: editorial on Photuris
- To: perry@piermont.com
- Subject: Re: editorial on Photuris
- From: Charles Watt <watt@sware.com>
- Date: Wed, 15 Nov 1995 10:18:38 -0500 (EST)
- Cc: ipsec@ans.net
- In-Reply-To: <199511151304.IAA07921@jekyll.piermont.com> from "Perry E. Metzger" at Nov 15, 95 08:04:29 am
- Sender: Charles Watt <watt@sware.com>
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
aTxjgASxqHhzkx7PkOnL4JrN+Q==
MIC-Info: RSA-MD5,RSA,
CROdd/Q6nEYM6VFEP0Ya94XIVhzjrbXEmeYjLZ3EcUrls8v/4AenzWOxef/w1g8S
+5Q6DaUoZqx/8rURLeMR6sc=
Recent comments by Perry and Ran underscore the primary problem with
the IETF process in its current state of near anarchy (please Perry and
Ran, do not take this as a personal comment, it is simply meant as an
observation of the process as a whole) -- if there is a group responsible
for overall architecture and direction, none of the working groups seem
to be aware of this or follow its recommendations. If I understand the
two of you correctly, you share an implicit assumption that IP security
requires a roll-your-own certificate based on domain names and stored
in DNS.
Well, the public key infrastructure and web security groups are
independently working on infrastructures to support electronic commerce.
They are competing against similar proposals from a wide variety of
individual companies and commercial groups including Netscape, Visa,
Microsoft, Mastercard and others. All of these proposals are based on
X.509 certificates or some close variant. All of these groups have
significantly more influence when it comes to final deployment of
applications and end systems than the IETF.
The web-based and electronic commerce applications are significant
contributors to the recent explosive growth in the Internet. A sizeable
percentage of all systems on the net ALREADY USE X.509 for some
applications -- this will soon be a majority of all systems if the
current growth rates for various applications continue.
I'm sure it will come as a shock to Perry, but I have a strong dislike
for ASN.1, X.509 certificates and DNs. But I am enough of a pragmatist
to understand that not only will they not go away, they will soon be
universally deployed within certain applications. I also understand that
developing, maintaining and administering two parallel infrastructures
is more complex and expensive than supporting just one, and that selling
the second infrastructure to a customer that already has the first will be
difficult.
I also have sufficient experience developing and installing secure
systems to foresee that:
- domain names (without semantic extensions) provide insufficient
flexibility to adequately identify the full variety of principals
(users, hosts, printers, fax servers, etc...) that will require
strong I&A in the future
- if we clutter the DNS with all the additional information
required to support a fully developed, distributed, secure
infrastructure, it will look remarkably like an X.500
Directory Service.
> > Nor does the use of DNs ever have to be presented at the user or
> > application level.
>
> No, but again, things get ugly if what one is binding isn't what the
> user cares about.
True, but to the user neither:
Charles.Watt@sware.com
sware.com
ga.gov
nor
CN=Charles Watt, O=SecureWare, C=US
O=SecureWare, C=US
O=Georgia Certificate Authority, C=US
are as effective as a more formatted display. If you need to reformat
anyway, what's the difference?
> I'd prefer to ignore the issue of whether or not that is possible and
> get back to my original point -- I think we will need, at some point,
> a certificate format. X.509 is unacceptable to the community. I'd like
> to invite the "smart people" around these parts to start working
> together to try to produce a good alternative.
It would not be difficult to come up with a better certificate format
than X.509. We need the "smart people" to determine whether doing so
is in the best interest of various communities of concern -- end users,
developers, etc... -- taking into consideration develops and trends outside
of IPSEC.
Charles Watt
SecureWare
-----END PRIVACY-ENHANCED MESSAGE-----