[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: charter revisions

To: <myers@xxxxxxxxxxxxx>
Subject: RE: charter revisions
From: "Bob Jueneman" <bjueneman@xxxxxxxxxx>
Date: Tue, 04 Sep 2001 16:35:57 -0600
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Michael,

Certainly you and I, and Russ, and a handful of Steves, and countless others, have been involved in this WG for so long that it sometimes feels like it was our life's mission.  

However, I think it might be a bit premature to suggest that PKIX be disbanded when there is relatively scant evidence (outside of SSL) that even the most basic goals of PKI have been achieved with anything close to ubiquity. To the contrary, lots of people are suggesting that "PKI is dead", without, of course, having an alternative suggestion ― except perhaps to throw the buggers out and have a new team start all over, this time presumably encoding everything in XML.

(There might even be some merit in the "throw the buggers out" school of thought, for if we aren't part of the solution, perhaps we are part of the problem.  I don't think so ― I would prefer to think that we were just ahead of our time. Some of us, of course, may be a little more ahead of our time than others. :-)  And I'm sure we all have our own personal list of those features we would most like to see added, and if push came to shove, which ones we never cared about in the first place.  Speaking only personally, I crossed that point a long time ago with respect to DPV/DPD, TSP, certain forms of cross-certification, and some other things that I probably don't understand well enough to care much about, and happily so.)

But although I might question the wisdom of continuing to proliferate this, that, and the other option during the technical discussion, I wouldn't try to invoke cloture before the debate had even started.

I wouldn't go quite as far as Patrick Henry's "I disagree with what you say, but will defend to the death your right to say it", but I don't think that we need to have that discussion as part of the charter. That seems to be putting the cart before the horse. Instead, we should allow those who espouse the idea to work up an RFC and submit it, and if a rough consensus emerges, so be it.  If not, the idea may languish forever as an experimental RFC, or it may go nowhere at all, with little harm done.  And some careful consideration might prevent someone from going off and offering something really dumb as a proprietary solution.

As far as Dave Fillingham's ideas regarding clearances and other privileges are concerned, I absolutely agree with the basic thought, and would be more than willing to contribute a number of ideas of my own in that arena. If as alleged the PKI "movement" has been less than successful, it is arguably because we have concentrated far too much on identity, and trying to implement the world's finest system of identity-based nonrepudiation, while almost completely ignoring the basic concept of trust, particularly as regards the end user.

No one cares much whether my name is Robert, Bob, or Beelzebub.  What they really want to know is what I am allowed to DO, and whether there is enough money in my account to pay for it, and who says so.  Attribute certificates don't begin to really solve that problem, IMHO, for a host of reasons I won't get into.  

So should we simply that we're tired, throw up our hands, and go fishing, i.e., leave it to the XACML crowd to try it get right?  I hope not.

A friend recently characterized their apartment complex as being made up of the "newly wed, and nearly dead".  This WG may be nearer the second than the first, but I don't think it is time to call for the Last Rights quite yet.

Bob

>>> "Michael Myers" <myers@xxxxxxxxxxxxx> 09/04/01 03:33PM >>>
Bob,

Ignoring for a moment the durability of the IPSEC WG, as an IETF WG, PKIX
must eventually close.  Of course, it's the chairs' call as to that precise
timing but towards those considerations, I join those who say that the value
added by addressing logotypes (and concomitantly extending the charter) does
not warrant the energy required to fully address the requirements,
particularly when placed in the context of the WG's predictable closure.

At some point, we should declare victory and go fishing.  In my opinion,
that state is most clearly signaled by closure of the DPV/DPD issues.
Beyond that, I look forward to various other fora to step forward.
Basically, move the feast.

In my individual opinion as a WG participant, logotypes are no more
technically fundamental to PKIX's mission than, say, the use of Subject
Directory Attributes to convey clearance constraints.  In fact, if someone
were to put the two on equal terms and call for a vote, I'd go for the
latter.  What Dave Fillingham et. al. put together deserves far broader
exposure than it's received to date.  My sense is that such considerations
would have longer-reaching impact than logotypes.

But that's just my opinion.  I could be wrong.

Mike


Michael Myers
t: +415.819.1362
e: mailto:mike@xxxxxxxxxxxxxxxxxxxxxx 
w: http://www.traceroutesecurity.com 

> -----Original Message-----
> From: Bob Jueneman [mailto:bjueneman@xxxxxxxxxx] 
> Sent: Tuesday, September 04, 2001 1:11 PM
>
> . . . is there any evidence that  the WG is running out of energy?

Prev by Date: RE: charter revisions
Next by Date: RE: Question: who signs a CRL if the CAcertificate, that signs it, is immediately revoked?
Previous by thread: RE: charter revisions
Next by thread: RE: charter revisions
Index(es):
- Date
- Thread