[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XKMS and NIH RE: Simplifying IKE

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: Re: XKMS and NIH RE: Simplifying IKE
From: Stephen Kent <kent@bbn.com>
Date: Wed, 15 Aug 2001 21:40:57 -0400
Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com
In-Reply-To: <2F3EC696EAEED311BB2D009027C3F4F4058696DE@vhqpostal.verisign.com>
References: <2F3EC696EAEED311BB2D009027C3F4F4058696DE@vhqpostal.verisign.com>
Sender: owner-ipsec@lists.tislabs.com

Phill,

>Steve,
>
>	You entirely manage to miss the point. You agree that part of the
>complexity of IPSEC is that it is required to interface to every PKI in the
>universe for political reasons. Then you make the statesmanlike suggestion
>that the world standardize on the specification of the working group you
>have been chairing. It may well make good technical sense. Perhaps you would
>like to lend your support to Neil Kinnock's proposal to make English the
>sole administrative language of the European Union whil you are at it?

There is a difference between by suggesting support for a set of IETF 
standards (the WG for which I do co-chair) vs. your promoting a 
VeriSign/Microsoft technology.  Perhaps you find this difference too 
subtle, but I feel confident others on the list can make the 
distinction.

We also disagree on the issue of complexity. IPsec is not required to 
interface to every PKI in the universe.  (Anyway, until Vint gets the 
interplanetary Internet up and running, there's not much need for 
extra-global cross certification.) IKE makes syntactic accommodation 
for a variety of PKI technologies, but the syntactic provisions are 
just the starting point.  IPsec lacks an RFC specifying the harder 
details of what it really means to support ANY PKI, which is part of 
why this is one of the least interoperable aspects of IKE 
implementations. I'm suggesting that we consider focusing on support 
of the one PKI syntax and semantics that most vendors who do support 
a PKI in IKE already have selected. This seems like a simplification 
consistent with the discussion we've been having. I also suggest that 
we generate an RFC that does fill in the blanks that have resulted in

>	As for 'advertising' the work product of another open standards
>working group that is appropriate to a working group topic, has substantial
>commitments from the major PKI vendors, major application vendors and major
>customers - I will do it at every opportunity thank you very much, whether
>the specification is one of my own invention or of somebody else.

What other open standards group?  W3C?  As it's name suggests, it's 
more akin to an industry consortium than a standards organization.

>	It was the first time that I had raised XKMS on the IPSEC list. It
>was not off topic, it was in fact entirely on topic. I don't think that the
>majority of the IETF would agree that Not Invented Here is a good policy.
>Plenty of IETF working groups make use of the work product of other working
>groups outside the IETF, BEEP makes use of a W3C specification, PKIX makes
>use of an ITU standard.

We gave you an opportunity to discuss XKMS in PKIX and the response 
was not what I would call overwhelming.  My guess is that you elected 
to bring XKMS to W3C because you saw an easier path there, among a 
group of players not know for extensive security or expertise. BTW, 
don't compare W3C with the ITU, a treaty organization; it's hardly 
analogous, and PKIX was chartered explicitly to profile the ITU X.509 
work.

>	Perhaps you could elaborate the reasons why you do not consider XKMS
>to be a suitable topic for consideration by IPSEC?
>
>	XKMS is designed to allow simplification of client implementation of
>PKI. The topic on the table is simplification of IPSEC.

IPsec does not have clients. It is a peer-to-peer protocol. I recall, 
from  your XKMS presentation, something of a client/server flavor, 
which would be appropriate for SSL, but not necessarily for IPsec.

Phill, you have never been a contributor in the IPsec area. Your 
comments in recent messages illustrate ignorance of the history of WG 
activities on which you now choose to comment. I don't find that 
constructive. We're trying to simplify IKE. if you propose support 
for XKMS as yet another PKI technology, that hardly amounts to 
simplification. If you suggest it as a replacement for the other 
technologies, that would call for discarding the PKI support that 
most vendors (that support PKI in IKE) already implement, which also 
seems questionable unless you can argue that XKMS is better in all 
respects.

Steve

References:

XKMS and NIH RE: Simplifying IKE

From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: Traffic handling and key management "divide and coquer"
Next by Date: RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems
Prev by thread: XKMS and NIH RE: Simplifying IKE
Next by thread: RE: XKMS and NIH RE: Simplifying IKE
Index(es):
- Main
- Thread