[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Alternative WG items. Was:TAM is a deal done? Was: TAM as a new WG item?

To: "Russ Housley" <housley@xxxxxxxxxxxx>
Subject: Re: Alternative WG items. Was:TAM is a deal done? Was: TAM as a new WG item?
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Sat, 15 Dec 2007 11:01:48 +0100
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <4759353100519BD5@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> (added by postmaster@xxxxxxxxxxxxxxx)
Sender: owner-ietf-pkix@xxxxxxxxxxxx

 Russ Housley wrote:
>If you think there is provisioning work to be done, bring one of the 
>referenced protocols to the attention of the WG and see if there is 
>interest.  Of course, it would need to be from someone that wants to 
>turn change control over to the IETF.

I assume that you refer to the following lines of m posting:
>> Personally I find it odd that the PKI community (not limited to
>> PKIX) considers TAM more important than the design of an
>> on-line provisioning protocol for the mass-market in spite of
>> the fact that on-line provisioning is already supplying millions
>> of e-gov and on-line bank users with certificates in the EU.
>> Existing schemes (e.g. CRMF) are quite dysfunctional (no PKI
>> provisioning scheme support PIN policies to take an example)
>> which has led to the use of proprietary protocols for this task.

There are many issues here but one issue has so far made it hard
getting anywhere on the road to standards, and that is that the
referred schemes without exceptions are based on the use of web-
browsers for triggering the provisioning processes.  AFAIK, not
even the W3C has taken on a single security protocol requiring
client-side browser-bindings.  I am personally interested in
changing this since mass-market Internet solution essentially
is equivalent to the web.

Due to the lack of money in consumer solutions (there is no
"paying customer" funding the work), traditional standards
consortiums seem unlikely pulling this off (or only get support
from a very limited base of people hardly ever representing
the vendors who would actually implement the scheme),  I will
pursue this trough the aid of open source rather than through
RFCs.  That is, unless there are some credible parties that
actually show some lust for creating schemes that do not generate
a nickel in software license revenues, but may potentially be used
by "everybody".  I refer to such solutions as "enablers".  TLS is
probably the most successful security-related enabler to date.

As Phillip Hallam-Baker  recently pointed out, the technical and
usability challenges associated with creating security-standards in
the consumer-space are much bigger than in the military sector!

Thanx,
Anders Rundgren

Prev by Date: 750 dollars Free to welcome you!
Previous by thread: 750 dollars Free to welcome you!
Index(es):
- Date
- Thread