[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Software for PKI

To: "Stephen Kent" <kent@xxxxxxx>, <michael@xxxxxxxxxxxx>
Subject: RE: Software for PKI
From: "Max Pritikin" <pritikin@xxxxxxxxx>
Date: Thu, 15 Nov 2001 12:51:26 -0800
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Stephen,

I think what is being got at here is how the standards (and thus the
implementations) have been put together. Not what they do.

Imagine that our output is one large book about PKI, asymetric keys,
security etc. There is obviously a lot of really complicated stuff. IF it
was a book like that there would be clearly labeled sections, sub-sections,
appendixes etc. It would/should be possible to read the first couple of
chapters, a detailed section or two and then put the book on the shelf as
reference material. Open most of the good textbooks on your shelf and you'll
see what I mean.

I think what we've produced instead is a very large, very detailed, set of
appendixes. All the information is important (and needs to be available) but
we've failed to present it in an organized and useful fashion. Thus
implementors make mistakes, pieces are not compatible and new PKI
users/developers needs to read/re-read/implement/re-implement a few times
before they have a good feel for what is going on. I think you'd agree that
this reduces the chances for a "killer app" to storm the market, as well as
for any application to be perfect.

Continuing my metaphor we've also failed to find 'straightforward' ways to
get people working with PKIs. Say you were teaching a introduction to
computer programming course. Is your first assignement that students write
an operating system? Or 'hello world'? Even with a good text book one still
starts students with a less complicated task. In the PKI space though we
have not clearly delineated the simple from the complex.

Obviously I'm stretching the boundries a bit here. PKI *is* complex, and
there is no way around it. But we could be looking at ways to make
deployment easier, to make migration easier, to make it possible to ignore
the more complex areas (using defaults, magic or something?) until they are
needed.

That we haven't done this is, I think, where we become responsible for
broken implementations.

	- max

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Stephen Kent
> Sent: Thursday, November 15, 2001 12:14 PM
> To: michael@xxxxxxxxxxxx
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: Software for PKI
>
>
>
> At 1:09 AM +0100 11/14/01, Michael Ströder wrote:
> >Stephen Kent wrote:
> >>
> >>  This WG is not responsible for broken implementations.
> >
> >I disagree. If a standard is very complicated and features are most
> >times optional it's difficult too implement it correctly and
> >complete. Therefore the designers of a security standard are IMHO
> >indeed somewhat responsible for broken implementations.
> >
> >Ciao, Michael.
>
> Michale,
>
> You are right that the more complex a standard becomes, the harder it
> is to implement, and thus the more likely to be broken. But, what
> constitutes a necessary level of complexity, to accommodate a range
> of legitimate "requirements" vs. what is "excessive complexity" is a
> matter of judgement.
>
> Steve
>

Follow-Ups:
- Re: Software for PKI
  - From: todd glassey
- RE: Software for PKI
  - From: Stephen Kent

References:
- Re: Software for PKI
  - From: Stephen Kent

Prev by Date: RE: Software for PKI
Next by Date: RE: Software for PKI
Previous by thread: Re: Software for PKI
Next by thread: RE: Software for PKI
Index(es):
- Date
- Thread