RE: OCSP-X vs SCVP

["Juan Rodriguez-Torrent" <torrent@xxxxxxx>]

Paul, I have to agree with your comments. This thread reminds me of a
company that went out of business a few days ago. After 5 years and $17 mil
the developers were still arguing that they did not need customer input.
Those folks could not understand why the sales team was unable to sell a
single copy of the "great" products that satisfied every whim, want, crave
and fad the lead developer threw at them.

Do we want lead developer(s) and PKIX "lordships" create the specs in a
vacuum? I think not! But lots of folks that could provide positive
contributions are scared silly just with the thought of having to face the
wrath of one of those "lordships". Recently it seems too easy for some
people that are icons in the PKIX and IETF to shoo people (eg "If you are
interested in XML and if you think it is appropriate, please advocate XML
ACs on the XML-DSIG mailing list"). So ... how do we solve the conundrum? I
say let's keep our sights to the real measure of success: A broad customer
base that freely and willingly embraces and pays for products that are PKIX
compliant. I don't see this yet and if we are so darn good at writing and
implementing standards why are organizations like the PKI Forum being
formed?

For some of the "lordships" of this working group it will be hard to believe
but there is a world outside the standards bodies and that world is working
hard trying to solve some very real and pressing business problems. Non-PKIX
compliant solutions are delivered and paid for daily -by the way, it is too
easy to take the Godly attitude and spit "Yeah! But they are doomed!"-. Each
one of those delivered solutions creates more confusion and instability to a
market that by now should be mature and stable. I see day in and day out
situations that require a combination of both, XML and PKIX based solutions
and that's why I have a hard time following a conversation between seemingly
intelligent people who have already adopted extremely hard and definitive
positions before all the facts are on the table. As Aldous Huxley said
"Facts do not cease to exist because they are ignored."

Consequently, I beg everyone in the working group to open your mind and
consider all the pros and cons before leading PKIX to what could be a
phenomenal strategic mistake.  I hope we are not working on an engine and
shooing folks working on the gas!

Juan Rodriguez-Torrent

-----Original Message-----
From: Paul Hoffman / IMC [mailto:phoffman@imc.org]
Sent: Thursday, November 09, 2000 9:03 PM
To: Michael Zolotarev; Marc Branchaud
Cc: 'ietf-pkix@imc.org '
Subject: RE: OCSP-X vs SCVP

At 12:06 PM +1100 11/10/00, Michael Zolotarev wrote:
>  >
>>  > >  But that ain't how the world works, and
>>  > > that ain't how
>>  > > people want it to work.
>>  >
>>  > Proof, please. I want the proof.
>>  >
>>
>>  The fact that people seem to care about this is proof enough for me...
>
>MArk, this is really speculative thing to say... I don't buy it as an
>argument, sorry.

It is not speculative. There have been people on this mailing list
who have said that they want an XML-based solution. Telling them that
you don't buy their opinion as an argument will tend to cause them
not to contribute again, yes? At that point, the WG will reduce to
those of us who are loud and repetitive. That is not a good way to
produce good protocols.

>Dont think it is a real issue with hosts and desktops. Dont think there is
>an issue with mobile devices either. I am not saying it is a bloat, or it
is
>not. I just want some approx figures. Compare bare-minimum
>ASNParser+OCSP_APIs with OCSP_XML_APIs ( for fairness I assume that XML
>parser is present on the platform regardless, so it doesn't count).

This level of argument reduces to "the customer is usually wrong".
That works in some areas, not in others. Given two protocols that
could meet the same objectives, such arguments are likely to squelch
input from the very people we should be listening to.

--Paul Hoffman, Director
--Internet Mail Consortium