[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft liaison response re DR 320

To: ietf-pkix@xxxxxxx
Subject: draft liaison response re DR 320
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 10 Dec 2007 10:31:05 -0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: draft liaison response re DR 320

Folks,

Since there has been a lot of discussion on this topic, I wanted to share the current draft of a formal response to ITU-T re DR 320.

Steve

-----

Gentlemen:

This is a response to your communiqué of 2007-10-05 re Defect Report 320 submitted to ITU-T SG17.

The PKIX Working Group met in Vancouver on 2007-12-03 and discussed your message and DR 320. We agree that the X.500 model, and X.501 specifically, defines a DN as a globally unique identifier in The Directory. As you noted, name uniqueness is a critical feature of hierarchic distributed naming schemes, such as X.500 and the DNS, and for e-mail addresses. In the Internet we have successfully dealt with the problem of name uniqueness for DNS names and, as a corollary, for RFC 822 e-mail addresses. However, it has required a substantial investment of resources over about 25 years to achieve our current status in this regard. Unfortunately, the X.500 directory model, perhaps in part because of its richer naming semantics, has not achieved the same status. It often is not an easy task for a CA to examine a proposed name and determine if the Subject has the right to that name, when the name is a DN.

Thus we agree with the observations made in DR 320. It is a fact that Certification Authorities (CAs) are being deployed with names chosen locally, without acquiring a DN from a naming authority. It also is true that the IETF provides no guidance to CAs on how to choose names that are unambiguous, or on how CAs might coordinate on global scale to avoid name collisions for themselves and for the entities to whom they issue certificates.

We have discussed this matter in the PKIX Working Group, and have consulted with the Security Area Directors and the with IETF Chair. We do not anticipate that PKIX nor any other working group in the IETF will take any action to address this problem. Thus, for example, we do not plan to establish a list of DNs of extant CAs to be checked by prospective CAs.

Follow-Ups:
- Re: draft liaison response re DR 320
  - From: Denis Pinkas

Prev by Date: Re: New X.509 ASN modules
Next by Date: Re: TAM is a deal done? Was: TAM as a new WG item?
Previous by thread: Re: TAM is a deal done? Was: TAM as a new WG item?
Next by thread: Re: draft liaison response re DR 320
Index(es):
- Date
- Thread