RE: Request for IESG consideration: CP/CPS Framework

["Fillingham, David W." <dwfilli@xxxxxxxxxxxxxx>]

Hi Dr. McCullagh:

I agree with nearly all of what you wrote.  The exception is where you
state:

"My personal view is that RFC 2527 is too complex and tries to deal with 2
distinct issues that should be separated; namely an RFC for a CPS and a
separate RFC for a CP."

I suppose one must ask "too complex for what?"  It seems to me that the
success of RFC 2527 indicates that it is not too complex to do what it was
intended to do, which is to standardize a CP and CPS format.  The less
"complex" you make the framework, the less complete it will be, and the less
comparable the resulting CP and CPS documents will be.

Many in the legal community have long felt that "policy" deals with
liability, jurisdiction, document management, and so on - and "technical
issues" ought to be separately dealt with in technical document like the
CPS.  I respectfully disagree.  Cryptographic module assurance requirements,
certificate validity periods, security measures included in certificate
profiles, physical security requirements all impact the assurance of
certificates, and need to be addressed by policy.  CPS documents state how a
PKI implementation will meet the policy requirements, and so must cover the
same ground, but from an implementation perspective.

My experience stems from working with the US Department of Defense
Certificate Policy Management Working Group (I was Co-Chair for a while).
We never had any problems using a single  framework to support both CP and
CPS development and evaluation.  In fact, use of a single framework enables
CPS documents generated by anyone to be readily evaluated with respect to CP
documents developed by anyone else, so long as both the CP and the CPS were
developed in accordance with the IETF RFC. I would disagree with separating
the CP and CPS frameworks into two separate RFCs, because the DoD, Federal,
and many Federal Department and Agency Certificate Policy management
processes depend heavily on CP and CPS documents being written to a single,
common, standard framework.

Best Regards,
Dave Fillingham

 -----Original Message-----
From: 	Adrian McCullagh [mailto:Adrian.McCullagh@xxxxxxxxxxxxx] 
Sent:	Wednesday, November 13, 2002 5:34 PM
To:	asturgeon@xxxxxxxxxx
Cc:	Fillingham, David W.; ietf-pkix@xxxxxxx; Jeffrey I. Schiller;
owner-ietf-pkix@xxxxxxxxxxxx; 'Paul Hoffman / IMC'; smb@xxxxxxxxxxxxxxxx
Subject:	RE: Request for IESG consideration: CP/CPS Framework


Dear All,

It is difficult to understand the reticence that has been raised by the
members IESG.

If one looks historically at the development of Public Key Technology(PKT),
it was clear in the Rivest et al paper of 1978 that one the benefits of PKT
was the development an electronic version of the paper based signature as a
mechanism for authentication.  Whether this has been achieved is highy
debatable.  But the Rivest et al  paper is also the genesis of the legal
input in the arena.

The topic of signature validity and authenitication has been mooted for
some 700 years within the common law jurisdictions (I have no experience
with civil law jurisdictions but I assume the same issues have also arise).
It is understandable that lawyers would provide some guidance in this area
for the electronic environment.  After all, if a dispute does arise it is
unlikely that the technologist will be called upon to adjudicate the
dispute.  Traditionally it is left to the legal faternity, namely judges,
to make a determination as to who has the better claim to the dispute.
Some times the courts decision is hard to fathom due to policy reasons
which are not always cleary articulated in the judgements.

If a digital signature does come into dispute then RFC 2527 may give some
guidance to the courts.  The exercise of developing RFC 2527 is not wasted
and should be commended by all.  If there are faults with it then they need
to be resolved which is why, as I understand it, the revision has taken
place.  The original RFC 2527 was a good start but as with everything it is
an iterative process and will as time goes by become more refined.  My
personal view is that RFC 2527 is too complex and tries to deal with 2
distinct issues that should be separated; namely an RFC for a CPS and a
separate RFC for a CP.

The issue of CPS/CP life cycle management and usage does involve legal
considerations and as such is not simply a technical issue.

These are my initial thoughts.

Dr. Adrian McCullagh Ph. D.
Solicitor/Lawyer
Freehills
Australia

Direct 61 7 3258 6603
Telephone 61 7 3258 6666
Facsimile 61 7 3258 6444
http://www.freehills.com

--------------------------------------------------------------------
FREEHILLS
This email is confidential.  If you are not the intended  recipient,
you must not disclose  or  use the  information  contained in it. If
you have received this email in error,  please notify us immediately
by return email and delete the document.
Freehills is not responsible for any changes made to a document other
than those made by Freehills or for the effect of the changes on the
document's meaning.

Liability is limited by the Solicitors' Limitation of Liability Scheme,
approved under the Professional Standards Act 1994 (NSW)
--------------------------------------------------------------------