[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ANNOUNCEMENT: SPKI mailing list and BOF at Los Angeles





"peter (p.w.) whittaker" writes:
> Definining two entirely analogous PKIs seems comparable to defining two
> entirely analogous mail transfer protocols, with the only difference in
> the protocols being the format of the headers.  Where would we be if SMTP
> had had "competition" from the start?  Would the IETF even have approved
> such an effort? 

There has never been a discussion starting from a blank piece of paper
inside the IETF community on the subject of what we really desire from
our public key infrastructure. This new group is an opportunity to
have this sort of dialog. I realize that some will view this as
"competition". To this, I can give several answers.

1) There is already "competition". Various differing groups are
   already using differing public key structures. PGP formats are
   probably going to be the subject of an IETF standard at some
   point. The DNS Security group already is using their own RSA keys
   and the like. The SSH folks, who are likely going to be trying to
   standardize at some point, are using their own format. For a
   variety of reasons, which have been hashed out at length, many
   people have already decided that they would like to make a clean
   break from X.509 or that it does not meet their particular needs.

2) There is ample precedent in other areas for multiple proposals with
   overlapping scope to be discussed and worked on. This is not new to
   the IETF, or unusual.

3) The only real criterion for whether an IETF working group is to be
   formed on a particular topic is whether there is a constituency for
   discussion of that topic. There is an ample constituency that for
   non-X.509 certificates.

4) The PKIX working group chairman sent me electronic mail
   specifically inviting me to form a new working group if I wanted to
   discuss these issues. I am not certain that he was precisely in
   favor of the issues being discussed, but he made it clear that he
   felt a new working group would be needed. I've formed that group.

> The suggestion was made that this non-PKIX PKI is not intended as
> competition for PKI.  Once such an alternative is in place, however, what
> decision are users and consumers going to have make?

There have been many such decisions that consumers have had to make in
the past -- X.400 mail vs. SMTP mail, for example. I do not feel it is
our job to make these decisions for the consumer -- rather, each
technologist should put forward the best alternative he knows how to
design, and permit the marketplace to decide for itself whether to use
one design, another, both, or neither. An (in)famous member of our
community has noted that standards are discovered, not "approved". I'm
a believer in that.

> There may be considerable support for an alternative to an X.509-based
> PKI, but is the creation of this alternative the right thing to do? 

The alternative to exploring the support which some of the community
obviously has for such a thing is the dictatorship of part of the
community over another part. I don't think that is the proper way for
the IETF to behave. Who is to say which subcommunity is "right", other
than the marketplace? On very rare occassions (IPv6) we need to favor
one standard over another, but in no case is anyone stopped from
working on whatever appeals to them. The IETF is an ENGINEERING task
force, not a conventional standards body. We are setting out to do
some engineering. We are not stopping PKIX from continuing its own
engineering effort, or even hostile to that effort -- I invite people
to participate in both if they feel the urge.

> Will the Internet user community really be best served by two parallel
> PKIs?

Only time will tell.

"Let a thousand flowers bloom."

Perry