RE: draft-ietf-pkix-scvp-32.txt

To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>, "David A. Cooper" <david.cooper@xxxxxxxx>, "pkix" <ietf-pkix@xxxxxxx>

Subject: RE: draft-ietf-pkix-scvp-32.txt

From: "Guida, Richard [JJCUS]" <RGuida@xxxxxxxxxxxxx>

Date: Mon, 9 Jul 2007 09:25:35 -0400

In-reply-to: <>

List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>

List-id: <ietf-pkix.imc.org>

List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Sender: owner-ietf-pkix@xxxxxxxxxxxx

Thread-index: AcfAprAHK6kpP3BZR2iidkggkXDscQBha7Zg

Thread-topic: draft-ietf-pkix-scvp-32.txt

Anders - a bridge CA is most certainly not a centrally trusted "Ueber-CA" - in fact to the contrary, a bridge optimally has no self-signed cert and appears in no-ones trust list as an anchor. That is why it is called a "bridge" - between other CAs. Bridge CAs and SCVP seem to me to fit together harmoniously and in a complementary fashion.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Anders Rundgren
Sent: Saturday, July 07, 2007 10:37 AM
To: David A. Cooper; pkix
Subject: Re: draft-ietf-pkix-scvp-32.txt

Although probably not NIST's intentions with SCVP, I would not be surprised if SCVP long-term will put the final nail in the Bridge CA coffin.

Off-loaded validation is a MUCH better concept since it is fully dynamic, allows arbitrary granularity down to individual EE certificates, and most of all does not rely on a centrally funded/trusted "über-CA". In fact, a successful rollout of SCVP will probably eliminate most other uses of cross-certification as well.

Anders

----- Original Message -----
From: "David A. Cooper" <david.cooper@xxxxxxxx>
To: "pkix" <ietf-pkix@xxxxxxx>
Sent: Friday, July 06, 2007 23:17
Subject: draft-ietf-pkix-scvp-32.txt

All,

I just submitted draft 32 of SCVP for posting. This draft contains some
editorial changes to address comments raised as a result of IESG review,
but there are no changes to the protocol, either syntactic or semantic.
A diff file comparing drafts 31 and 32 is available at
http://csrc.nist.gov/pki/documents/PKIX/wdiff_draft-ietf-pkix-scvp-31_to_32.html.

I should note that this draft does not address every issue raised during
the IESG review. In particular, there are still outstanding comments
from Lisa Dusseault relating to the use of HTTP, which is mainly
specified in Appendix B of SCVP. Lisa's comments may be found at
https://datatracker.ietf.org/idtracker/draft-ietf-pkix-scvp/comment/65322.
If there is someone who has a sufficient knowledge of HTTP to address
the issues that Lisa raises and who is willing to work with us to
resolve these issues, that would be appreciated.

Dave