[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: one possible motivation for X.509 -Reply

At 07:32 AM 7/19/96 -0600, Bob Jueneman wrote:
>I can't stand it. Let me correct the record before any more of this nonsense
>becomes part of the folklore.

Thanks, Bob, for logging this history.  I agree with you, for the most part.

In particular:

>With regard to the distinguished name itself, I had the same wrenching
experience that Carl did.

Yes!  This had to do with taking a legal, corporate stance -- and was doomed
to fail.  That's what I meant by the DN problem -- not just a problem making
some X.500 directory.  [although I concur with Rich that X.500 is IMHO
doomed never to succeed as a single, distributed, global name space]

>(Of course, Carl was there all along, saying that names and legal entities
didn't matter, that all that 
>mattered was the public key. But that was because Carl was (and still is)
trying to solve a different 
>problem than the rest of us were -- one that is a lot closer to Kerberos
and its model of capabilities 
>and granting of tickets of authority, etc., than to the existing model of
business practices that have 
>evolved over the last 100 years or so.  Not that Kerberos model isn't a
worthwhile problem in its 
>own right, but it wasn't (and isn't) the problem the rest of us were as
interested in.)

Yes.  I have been trying to solve what I believe is the only interesting
problem set -- how to get goods paid for, how to allow access to a system,
and how to know I'm connected to an old friend.  I'm not trying to solve
what I call the litigious-society problem: "How do I find this crook who
tried to defraud me, in order to serve him with a warrant or send the bill
collectors after him?".  Although SPKI certs can be built to do that too, I
don't think it's a good way to do business, if you can get a direct

BTW, I had no input into the SET cardholder authorization certificate design
-- but I take pleasure from the fact that they're addressing the same
problem I was, the same way (except for use of X.509 and ASN.1).


>The second reason why PEM failed, if it did, was the direct result of the
>collaboration that we call the Internet Society, and they way that the IETF
works. [...]
>Unfortunately, establishing the IPRA meant that the Internet Society and/or
the IETF 
>had to do real work, and undertake real responsibility, i.e., act like a
real business. That, I
>claim, it is not well constituted to do, and if it were, it would start
behaving a lot more 
>like ANSI or some of the other organizations that this community sometimes
likes to throw 
>rocks at.

Thank God it's not like ANSI or, worse, ISO -- or like a big corporation or
the DoD.  If it were, the Internet would be as dead as X.400, X.500 and
other nonsense from the grown-ups.

>I think there is a lesson to be learned there, but it doesn't have anything to 
>do with ASN.1, or with X.500.

I agree that there are lessons besides the failings of ISO, ASN.1, X.509 and
X.500.  However, those failings mustn't be swept under the rug and ignored.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |