[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

My comments on the X/Open PKI requirements document

Please note the cross-posting to two lists and reply carefully.
Again, I will gladly answer any questions to the best of my ability.

>From: Rich Salz <rsalz>
Date: Thu, 4 Apr 1996 23:24:21 -0500
Message-Id: <9604050424.AA18650@sulphur.osf.org>
To: frazier@sst.ncsl.nist.gov
Subject: Comments on Open Group BRG PKI TG
Cc: d.adams@xopen.org, rsalz

Here are my comments on the PKI requirements document being drafted
by The Open Group's Security Business Requirements Group.

>The draft requirements below has taken account of many government, commercial
>and privacy requirements published in many sources over the past year.

A list of references that names the various requirements taken into
consideration would be a good thing to have.

>recognises the need to satisfy many governance models in the development of a
>practical global PKI.
--Insert A, see below--
>The final list of requirements will be presented to those developing high level
>Global Information Infrastructure (GII) policy and supporting technical
          ^and implementations.
The world, primarily driven by the Web, is moving very quickly to build
various PKI's.  Implementors must be brought "under the tent" right now
if this document is to have practical relevence.

>This draft has no political significance and is limited to capturing
>known governance and technology drivers in a useful form.
Put this sentence at Insert A, above.

>Only after we have a consistent high level view can we usefully descend to the
>lower levels of supporting standards and technology.

Unfortunately, I feel this reflects wishful thinking, as I implied above.

>Input for Version 0.5 to be transmitted to xosecrtg@xopen.org by 17th May 1996.
>It is expected to issue draft Version 0.5 by 31 May 1996. 

Who is "it"?

>An interoperable global PKI is required to provide privacy and digital signature

Does digital sig imply non-repudiation, integrity, etc?  If not, should
they be called out?  Why privacy explicitly called out -- because it's a
semi-political issue?  Since there is a bullet-list below, I would just
reword this sentence to omit both items.

>2. Distributed Certification Authority (CA) structure (driven by requirements of
>transaction/business domain)
>. policing and enforcing policy (governance model)
>. policy creation and maintenance
>. registration, naming and query
>. authentication (mandatory binding PK to Directory Name, discretionary binding
>entity to a Directory Name)

It must not be a requirement of a global PKI that keys be bound to
directory names.  An IETF PKI working group is about to request that
the X.509v3 revision explicitly allow the DN to be null.

>Known Issues
>Single directory standard for PKI (X.500 or DNS ) or federated with single
>defined access and control application protocol Interface and protocols for
>directory interoperability.

This issue is mis-phrased.  A global directory is not required.
That requirement was dropped from the previous draft in favor of adding the
word "query" to requirement 2 above.  The issue is that CA's must be reachable
through one or more defined protocols (e.g., DCE RPC, etc)

>Adopt international standard X.509 version 3 as a basis for the development of
>the global PKI

I thought v3 was still in DIS stage, if not earlier.  At any rate, it seems
a little premature for this document to make a technological decision.

>Parties invited to develop requirement (not exhaustive)

This effort must be grounded in reality.  What steps are planned to
contact the parties listed and pro-actively solicit their involvement?
(I am somewhat disappointed, for example, that the only communication on
the two IETF working groups about this has been email that I initiated.)

	/rich $alz,
	Technical Lead of the OSF Distributed Computing Program,
	but not a corporate spokeman