[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: editorial on Photuris

To: perry@piermont.com
Subject: Re: editorial on Photuris
From: alten@novell.com (Alex Alten)
Date: Thu, 16 Nov 1995 11:30:57 -0800 (PST)
Cc: rja@cs.nrl.navy.mil, kent@bbn.com, ipsec@ans.net
In-Reply-To: <199511151428.AA21093@interlock.ans.net> from "Perry E. Metzger" at Nov 15, 95 09:28:22 am
Original-Content-Type: text

> 
> 
> Ran Atkinson writes:
> >   Regardless of whether some folks have strong objections to X.509,
> > there DOES exist a community of interest that wants to use it.  There
> > are known technical problems with putting X.509 into the DNS, hence
> > DNS certificates are not X.509 format (neither are they PGP).
> > 
> >   It is legitimate for folks in the IPsec WG to work on adding X.509
> > support as extensions to the various key mgmt proposals.
> 
> I'm not arguing against that at all. I'm arguing something entirely
> different -- that it is time for us to work on a simplified
> certificate format. This is something that needs doing quite apart
> from the specific considerations of Photuris, MOSS, or whatever else
> might want to use such certificates. I realize that such a format
> isn't going to be ready soon and that work can't be delayed to work
> on it, and that people will want to use other formats as well.
> 
> Perry
> 

I brought up a very similar issue earlier with this list.  We really need
to standardize the formats of all sorts of things; certificates, signatures,
multiprecision integers, etc.  We probably have to do it for at least 
three encoding standards; Internet byte order, MIME, and ASN.1.  This is
beyond the scope of this list but it is crucial to the interoperability of
secure IP, secure DNS, secure SNMP, secure Mail, secure HTTP, etc.  These 
things are like nuts and bolts.  If every bridge being built (read secure
protocol) uses it's own custom nuts and bolts (read signatures, etc.) then
the parts cannot be interchangeable.  This drives up the cost of maintenance,
administration, development, and use.  An example might be that I receive 
a certified signature via SNMP which I then use to verify a signed record
I receive from DNS.  I firmly believe that these must be standardized before 
we can allow any of the secure protocol drafts to move further down the 
protocols track.  We will probably have to compromise and allow a few 
variations to coexist because of existing implementations but I sincerely 
hope we can reduce these to a minimum.  We should make the formats
flexible enough to accomodate new public key and signature (mathematical)
algorithms, etc.

- Alex

-- 

Alexander I. Alten
Alten@Na.Sjf.Novell.Com
(408) 577-8224

Novell, Inc.
Member of Technical Staff
Mail Stop F1-42-D2
2180 Fortune Drive
San Jose, CA  95131  
USA

References:

Re: editorial on Photuris

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: editorial on Photuris
Next by Date: Photuris Long-Term Session-Keys
Prev by thread: Re: editorial on Photuris
Next by thread: Re: editorial on Photuris
Index(es):
- Main
- Thread