[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ANNOUNCEMENT: SPKI mailing list and BOF at Los Angeles

On Fri, 23 Feb 1996 perry%piermont.com@bcars735 wrote:
> David P. Kemp writes:
> >   Please forgive me if this should have been obvious, but what is
> > the motivation for developing an alternate certificate model?
> I would prefer not to clog the PKIX mailing list with this. There has
> already been substantial discussion on this topic, and I believe there
> is a community interested in producing something new as evinced by
> substantial support I've received thus far in forming the group. As I
> said, I don't envision SPKI "opposing" PKIX; you shouldn't feel
> compelled to participate in the new effort if you don't feel there is
> a need for such work.

Before writing anything else, allow me the same disclaimer as the original
author (Kemp):  this is an honest question intended to clarify (at least
my own) picture of the issue, and is not flame bait, X.509 advocacy, or
anything else.  I follow PKIX out of interest.  I will follow the new
group out of interest.

To return to the matter at hand:

Definining two entirely analogous PKIs seems comparable to defining two
entirely analogous mail transfer protocols, with the only difference in
the protocols being the format of the headers.  Where would we be if SMTP
had had "competition" from the start?  Would the IETF even have approved
such an effort? 

To extend the analogy, where would we be if the IETF decided that two
transport, or worse yet, two internet, protocols were required - or at
least acceptable - where the only difference is the sequencing of bits in
the header? 

Within broad strokes, all public key certificates attempt to solve the
same problem.  The ITU/ISO attempted to define a certificate format that
would meet most needs, and failed (X.509(1988)'s V1 certificates were
obviously limited).  The recent work on X.509(1996) has lead to a more
generally useful certificate format, and supporting ancillary work.

There are other certificate formats out there, yes, absolutely.  In the
interest of interworking, wouldn't we be better served by finding
interoperability schemes than by defining parallel PKIs?  Part of this
work could include devising schemes for extending PKIX to accomodate other
certificate types, if this were considered a useful thing to do. 

The suggestion was made that this non-PKIX PKI is not intended as
competition for PKI.  Once such an alternative is in place, however, what
decision are users and consumers going to have make?  A tough one:  there
is considerable commercial and governmental interest in PKIX, and
considerable individual and some commercial interest in non-PKIX PKIs. 
The two camps may be large enough to be able to support both. 

In the long run, this will lead to inter-PKI interoperability concerns
that would be best addressed by taking a hard look at all alternatives and
deciding what is the best to pursue now. 

There may be considerable support for an alternative to an X.509-based
PKI, but is the creation of this alternative the right thing to do? 

Will the Internet user community really be best served by two parallel


Peter Whittaker      [~~~~~~~~~~~~~~~~~~~~~~~~~~]   X.500 Specialist
pww@entrust.com      [  http://www.entrust.com  ]   Nortel Secure Networks
Ph: +1 613 765 2064  [                          ]   P.O. Box 3511, Station C
FAX:+1 613 765 3520  [__________________________]   Ottawa, Canada, K1Y 4H7