[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Software for PKI

To: ietf-pkix@xxxxxxx, kent@xxxxxxx
Subject: Re: Software for PKI
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Wed, 14 Nov 2001 09:06:11 +1300 (NZDT)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Stephen Kent <kent@xxxxxxx> writes:

>The IETF imposes certain requirements for advancement of documents in the
>standards process and it is not obvious that the PKIX WG is unique in a
>fashion that requires or motivates deviation from the procedures by which the
>rest of the IETF operates, in this regard.

You're right, the PKIX WG isn't unique, many other security WGs are also in
desperate need of this.  TLS (with its endless flow of proposed cipher suites),
IPsec (with... well, with everything basically, this one sort of goes without
saying), and S/MIME (with strange-ways-of-doing-unexpected-things-with-SMIME)
all need a requirement to provide a rationale and business cases to justify
some of the drafts which are appearing.

There are groups which don't have this problem.  Examples are OpenPGP (a single
RFC specifying the format, with an update in the works), SSH (a fixed core set
of RFCs, although there's some cruft starting to accumulate), and syslog (one
RFC, one or two add-ons), so it's limited only to some WGs.

>I am aware of no precedent in the IETF that requires the sort of documentation
>Todd has suggested as a normal part of developing IETF standards

The reason for this is that historically it hasn't been necessary.  You have
(for example) RFC 959, and that's about it.  There aren't 25 further RFCs all
specifying slight (incompatible) modifications and "enhancements" and
alterations, with overlaps and incompatibilities and no clear idea of why any
of them are useful except to the people who proposed them.  

OTOH if you've got the situation which PKIX (and IPsec, TLS, and S/MIME) are
in, where there's such a confusion of stuff that noone who isn't intimately
involved in the standard-setting process can figure out what's going on,
authors should be required to justify what they're doing.  It's easy enough for
anyone to throw together an RFC, but if you can't explain why and how it's
useful then it's a good sign that it's not worth persuing.

It would be good if PKIX could lead by example in this area.

Peter.

Prev by Date: Re: Software for PKI
Next by Date: Re: OID repository (was Re: Any Organization Certificates outthere?)
Previous by thread: RE: Software for PKI
Next by thread: RE: Software for PKI
Index(es):
- Date
- Thread