[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cert image I-D

To: <ietf-pkix@xxxxxxx>, "Stephen Kent" <kent@xxxxxxx>
Subject: Re: cert image I-D
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Wed, 13 May 2009 22:39:45 +0200
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I believe this effort suffers from more technical hurdles than the authors
are aware of.  Just defining exactly how and where in a browser's TLS
client-cert-auth the image is supposed to be introduced is not trivial
because there is a battle going on between the browser/OS and the
vendors of card middleware for the GUI.  Currently the latter often
does a better job than the rather complacent browser vendors.

The sample given by Siddharth probably utilized some kind
of application-level thingy which BTW points to another issue:
Quite a bunch of current PKI implementations actually do not use TLS-
client-cert-auth but rather use proprietary app-level authentication schemes.
One the few non-internal PKIs used by the USG, namely the
USPTO's filing system is apparently one of these systems.

It is also worth noting that Information Cards do not use TLS-client
cert-auth even when the primary authentication is based on PKI.
Probably MSFT drew the same conclusion as many others have
before them: TLS-client-cert-auth is an ugly beast on the web,
app-level authentication works better; it is at least much prettier :-)

Although providing an "upgrade path" sounds like a good solution
it often works in the opposite way by "the least common denominator rule".
60% of enterprises use IE6 despite been EOLed since 5 years back!

Time will tell, but personally I do not believe you get very far unless you
take on the entire browser/keystore/provisioning/authentication space
otherwise the incentive for changing (anything) will simply be too small.

Which is thus exactly what my counter-proposal does........

Anders

----- Original Message ----- 
From: "Stephen Kent" <kent@xxxxxxx>
To: <ietf-pkix@xxxxxxx>
Sent: Wednesday, May 13, 2009 19:56
Subject: cert image I-D



Folks,

I have reviewed the discussion on the list re Stefan's cert image 
proposal. While there were comments for and against, the positive 
comments, especially from folks who are in a position to make use of 
this feature, were persuasive.

We will proceed with this a a new PKIX WG work item.  This is not a 
guarantee that the WG will approve a document, but rather that we 
will explore approaches to achieving the goals described by Stefan 
and try to come to consensus on a specific technical approach. We can 
decide later whether this is standards track, experimental or even 
informational.

Steve

Follow-Ups:
- RE: cert image I-D
  - From: Trevor Freeman

References:
- cert image I-D
  - From: Stephen Kent

Prev by Date: Re: straw poll
Next by Date: Re: straw poll
Previous by thread: cert image I-D
Next by thread: RE: cert image I-D
Index(es):
- Date
- Thread