[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: My comments on the X/Open PKI requirements document
Note: message carefully and intentionally cross posted.
fine. you want another comment? I think it's insane we have at least five
standards organizations or groups looking at vaguely the same problem.
(spki, pkix, x.509, aba, x/open.) I just realized this a few days ago when
one or the other of the spki/pkix list had something on the x/open effort.
If the following statement is false then I apologize but....
if the x/open folks were doing things before spki and/or pkix came into
existance then I think they should have said something, rather loudly, on
the relevant mailing list.
if the x/open folks started things after spki and/or pkix then I assume that
either they think those groups are irrelevant or they have something more to
add to the effort.
Now I *know* I may have missed some message that went by recently to explain
why I've misunderstood what's happening.
Please, feel free to correct my statement. I'm sure someone would have even
if I didn't give permission ;-)
At 11:34 PM 4/4/96 -0500, you wrote:
>Please note the cross-posting to two lists and reply carefully.
>Again, I will gladly answer any questions to the best of my ability.
>>From: Rich Salz <rsalz>
>Date: Thu, 4 Apr 1996 23:24:21 -0500
>Subject: Comments on Open Group BRG PKI TG
>Cc: firstname.lastname@example.org, rsalz
>Here are my comments on the PKI requirements document being drafted
>by The Open Group's Security Business Requirements Group.
>>The draft requirements below has taken account of many government, commercial
>>and privacy requirements published in many sources over the past year.
>A list of references that names the various requirements taken into
>consideration would be a good thing to have.
>>recognises the need to satisfy many governance models in the development of a
>>practical global PKI.
>--Insert A, see below--
>>The final list of requirements will be presented to those developing high
>>Global Information Infrastructure (GII) policy and supporting technical
> ^and implementations.
>The world, primarily driven by the Web, is moving very quickly to build
>various PKI's. Implementors must be brought "under the tent" right now
>if this document is to have practical relevence.
>>This draft has no political significance and is limited to capturing
>>known governance and technology drivers in a useful form.
>Put this sentence at Insert A, above.
>>Only after we have a consistent high level view can we usefully descend to the
>>lower levels of supporting standards and technology.
>Unfortunately, I feel this reflects wishful thinking, as I implied above.
>>Input for Version 0.5 to be transmitted to email@example.com by 17th May
>>It is expected to issue draft Version 0.5 by 31 May 1996.
>Who is "it"?
>>An interoperable global PKI is required to provide privacy and digital
>Does digital sig imply non-repudiation, integrity, etc? If not, should
>they be called out? Why privacy explicitly called out -- because it's a
>semi-political issue? Since there is a bullet-list below, I would just
>reword this sentence to omit both items.
>>2. Distributed Certification Authority (CA) structure (driven by
>>. policing and enforcing policy (governance model)
>>. policy creation and maintenance
>>. registration, naming and query
>>. authentication (mandatory binding PK to Directory Name, discretionary
>>entity to a Directory Name)
>It must not be a requirement of a global PKI that keys be bound to
>directory names. An IETF PKI working group is about to request that
>the X.509v3 revision explicitly allow the DN to be null.
>>Single directory standard for PKI (X.500 or DNS ) or federated with single
>>defined access and control application protocol Interface and protocols for
>This issue is mis-phrased. A global directory is not required.
>That requirement was dropped from the previous draft in favor of adding the
>word "query" to requirement 2 above. The issue is that CA's must be reachable
>through one or more defined protocols (e.g., DCE RPC, etc)
>>Adopt international standard X.509 version 3 as a basis for the development of
>>the global PKI
>I thought v3 was still in DIS stage, if not earlier. At any rate, it seems
>a little premature for this document to make a technological decision.
>>Parties invited to develop requirement (not exhaustive)
>This effort must be grounded in reality. What steps are planned to
>contact the parties listed and pro-actively solicit their involvement?
>(I am somewhat disappointed, for example, that the only communication on
>the two IETF working groups about this has been email that I initiated.)
> /rich $alz,
> Technical Lead of the OSF Distributed Computing Program,
> but not a corporate spokeman
Rodney Thayer :: firstname.lastname@example.org
Sable Technology Corp :: +1 617 332 7292
246 Walnut St :: Fax: +1 617 332 7970
Newton MA 02160 USA :: http://www.shore.net/~sable
"Developers of communications software"