[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: My comments on the X/Open PKI requirements document

Note: message carefully and intentionally cross posted.

fine.  you want another comment?  I think it's insane we have at least five
standards organizations or groups looking at vaguely the same problem.
(spki, pkix, x.509, aba, x/open.)  I just realized this a few days ago when
one or the other of the spki/pkix list had something on the x/open effort.

If the following statement is false then I apologize but....

if the x/open folks were doing things before spki and/or pkix came into
existance then I think they should have said something, rather loudly, on
the relevant mailing list.

if the x/open folks started things after spki and/or pkix then I assume that
either they think those groups are irrelevant or they have something more to
add to the effort.

Now I *know* I may have missed some message that went by recently to explain
why I've misunderstood what's happening.

Please, feel free to correct my statement.  I'm sure someone would have even
if I didn't give permission ;-)




At 11:34 PM 4/4/96 -0500, you wrote:
>Please note the cross-posting to two lists and reply carefully.
>Again, I will gladly answer any questions to the best of my ability.
>	/r$
>
>>From: Rich Salz <rsalz>
>Date: Thu, 4 Apr 1996 23:24:21 -0500
>Message-Id: <9604050424.AA18650@sulphur.osf.org>
>To: frazier@sst.ncsl.nist.gov
>Subject: Comments on Open Group BRG PKI TG
>Cc: d.adams@xopen.org, rsalz
>
>Here are my comments on the PKI requirements document being drafted
>by The Open Group's Security Business Requirements Group.
>
>>The draft requirements below has taken account of many government, commercial
>>and privacy requirements published in many sources over the past year.
>
>A list of references that names the various requirements taken into
>consideration would be a good thing to have.
>
>>It
>>recognises the need to satisfy many governance models in the development of a
>>practical global PKI.
>--Insert A, see below--
>>
>>The final list of requirements will be presented to those developing high
level
>>Global Information Infrastructure (GII) policy and supporting technical
>>standards.
>          ^and implementations.
>The world, primarily driven by the Web, is moving very quickly to build
>various PKI's.  Implementors must be brought "under the tent" right now
>if this document is to have practical relevence.
>
>>This draft has no political significance and is limited to capturing
>>known governance and technology drivers in a useful form.
>Put this sentence at Insert A, above.
>
>>Only after we have a consistent high level view can we usefully descend to the
>>lower levels of supporting standards and technology.
>
>Unfortunately, I feel this reflects wishful thinking, as I implied above.
>
>>Input for Version 0.5 to be transmitted to xosecrtg@xopen.org by 17th May
1996.
>>
>>It is expected to issue draft Version 0.5 by 31 May 1996. 
>
>Who is "it"?
>
>
>>An interoperable global PKI is required to provide privacy and digital
signature
>
>Does digital sig imply non-repudiation, integrity, etc?  If not, should
>they be called out?  Why privacy explicitly called out -- because it's a
>semi-political issue?  Since there is a bullet-list below, I would just
>reword this sentence to omit both items.
>
>>2. Distributed Certification Authority (CA) structure (driven by
requirements of
>>transaction/business domain)
>>. policing and enforcing policy (governance model)
>>. policy creation and maintenance
>>. registration, naming and query
>>. authentication (mandatory binding PK to Directory Name, discretionary
binding
>>entity to a Directory Name)
>
>It must not be a requirement of a global PKI that keys be bound to
>directory names.  An IETF PKI working group is about to request that
>the X.509v3 revision explicitly allow the DN to be null.
>
>>Known Issues
>>
>>Single directory standard for PKI (X.500 or DNS ) or federated with single
>>defined access and control application protocol Interface and protocols for
>>directory interoperability.
>
>This issue is mis-phrased.  A global directory is not required.
>That requirement was dropped from the previous draft in favor of adding the
>word "query" to requirement 2 above.  The issue is that CA's must be reachable
>through one or more defined protocols (e.g., DCE RPC, etc)
>
>>Recommendations
>>
>>Adopt international standard X.509 version 3 as a basis for the development of
>>the global PKI
>
>I thought v3 was still in DIS stage, if not earlier.  At any rate, it seems
>a little premature for this document to make a technological decision.
>
>>Parties invited to develop requirement (not exhaustive)
>
>This effort must be grounded in reality.  What steps are planned to
>contact the parties listed and pro-actively solicit their involvement?
>(I am somewhat disappointed, for example, that the only communication on
>the two IETF working groups about this has been email that I initiated.)
>
>	/rich $alz,
>	Technical Lead of the OSF Distributed Computing Program,
>	but not a corporate spokeman
>
>
>

                  Rodney Thayer           ::         rodney@sabletech.com
                  Sable Technology Corp   ::              +1 617 332 7292
                  246 Walnut St           ::         Fax: +1 617 332 7970     
                  Newton MA 02160 USA     ::  http://www.shore.net/~sable
                           "Developers of communications software"
Follow-Ups: