[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: editorial on Photuris

To: Charles Watt <watt@sware.com>
Subject: Re: editorial on Photuris
From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 15 Nov 1995 11:15:19 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Wed, 15 Nov 1995 10:18:38 EST." <9511151518.AA21029@mordred.sware.com>
Reply-To: perry@piermont.com

Charles Watt writes:
> Recent comments by Perry and Ran underscore the primary problem with
> the IETF process in its current state of near anarchy (please Perry and
> Ran, do not take this as a personal comment, it is simply meant as an
> observation of the process as a whole) -- if there is a group responsible 
> for overall architecture and direction, none of the working groups seem 
> to be aware of this or follow its recommendations.

This is a feature, not a bug. There is a reason that the ISO has been
unable to achieve our success.

I suppose I'm an anarchist.

Let a thousand flowers bloom.

> If I understand the two of you correctly, you share an implicit
> assumption that IP security requires a roll-your-own certificate
> based on domain names and stored in DNS.

I will not comment on Ran's assumptions. My assumptions are that X.509
is a failure that I don't want to touch, and I'm interested in seeing
something clean and simple replace it. Nothing is "required". Hell,
breathing isn't "required".

> They are competing against similar proposals from a wide variety of
> individual companies and commercial groups including Netscape, Visa, 
> Microsoft, Mastercard and others.  All of these proposals are based on 
> X.509 certificates or some close variant.

None of them are wedded to X.509 certificates. If an alternatives
showed up, they would probably be adopted.

> The web-based and electronic commerce applications are significant
> contributors to the recent explosive growth in the Internet.  A sizeable
> percentage of all systems on the net ALREADY USE X.509 for some
> applications

If you are refering to SSL, it uses certificates only in the most
basic possible sense. There is no distribution mechanism for them --
they are hardcoded in to netscape -- and there is almost no use of the
X.509 facilities, and there are no user certificates. I doubt that it
would change Netscape's life significantly if they switched to any
other certificate.

> I'm sure it will come as a shock to Perry, but I have a strong dislike
> for ASN.1, X.509 certificates and DNs.  But I am enough of a pragmatist 
> to understand that not only will they not go away, they will soon be 
> universally deployed within certain applications.

I don't agree. I think that they are pretty much only going to succeed
if no alternative shows up, so I intend to see an alternative show up.

> 	- if we clutter the DNS with all the additional information
> 	  required to support a fully developed, distributed, secure
> 	  infrastructure, it will look remarkably like an X.500
> 	  Directory Service.

I'm afraid that we already have a proposal for embedding certificates
in the DNS that doesn't make it look like X.500. Don't assume everyone
is as incapable of producing a clean and simple solution as the ISO.

Perry

Prev by Date: Re: editorial on Photuris
Next by Date: Re: editorial on Photuris
Prev by thread: Re: editorial on Photuris
Next by thread: Re: editorial on Photuris
Index(es):
- Main
- Thread