[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DPD/DPV Protocol Selection

To: ietf-pkix@xxxxxxx
Subject: DPD/DPV Protocol Selection
From: Tim Polk <tim.polk@xxxxxxxx>
Date: Thu, 20 Feb 2003 14:57:14 -0500
Cc: kent@xxxxxxx, Denis Pinkas <Denis.Pinkas@xxxxxxxx>, Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>, Russ Housley <housley@xxxxxxxxxxxx>, Ambarish Malpani <ambarish@xxxxxxxxxxx>, Michael Myers <myers@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Folks,

After some delay, it is finally time to settle on a single PKIX WG protocol for DPD/DPV. Steve and I have been mulling over the results from the strawpoll, as well as the technical content of the messages posted to the list. As you all are aware, we have been adamant that the WG advance only one protocol for DPD/DPV. However, that is not the only important factor. We are also adamant that (1) the protocol must have adequate support among implementers, (2) the protocol MUST satisfy the requirements specified in RFC 3379, and (3) the protocol be mature enough for completion soon.

As the co-chairs, we needed to satisfy ourselves that the process was not a beauty contest, and had chosen a technically sound engineering solution.

After much consideration, Steve and I are satisfied that SCVP is the best choice as the PKIX WG protocol for DPD/DPV. Let me outline the rationale:

(1) The protocol must have adequate support among implementers.

The strawpoll voting results were: SCVP 26; OCSP 15; DVCS 8; and CVP 2 out of 51 total votes. These numbers include a vote from Denis for CVP, even though he never officially submitted one, but exclude XKMS and ABSTAIN votes.

The numbers are clear if not overwhelming. SCVP garnered just a bit more than 50% of the votes. OCSP got just under 30%. DVCS got almost 16% and CVP 4%. Based on the strawpoll, SCVP has the most support from respondents. OCSP also has relatively strong support. DVCS and CVP fall short in this category.

(2) The protocol MUST satisfy the requirements specified in RFC 3379.

It is my opinion that each of the four protocols *could* satisfy the requirements, given sufficient time. The question before us, though, is how close are the current proposals. Based on the respective compliance matrices, and the subsequent analysis performed by Denis, none of the current submissions is perfect. However, the compliance matrices imply that SCVP is closer to satisfying the requirements than either OCSP or DVCS. While no one performed that same analysis for Denis' matrix, I believe that CVP's compliance is roughly that of SCVP, since it was designed using 3379.

So, SCVP and CVP seem closest to the requirements at this time.

(3) The protocol be mature enough for completion soon.

OCSP and DVCS have been RFCs for some time, so their base protocols are clearly mature. However, the extensions that are needed to support DPD/DPV are significantly less mature. Moreover, the changes needed by clients and servers to make use of these extensions to OCSP are substantial, vastly greater in complexity that the current OCSP protocol. Thus the installed OCSP client & server base for OCSP does not represent a significant head start for this protocol vs. the others. CVP is a very recent development, having cycled at Internet-Draft just a few times. SCVP is not an RFC, but is currently at draft 11, we have implementation experience, and it has been tweaked and polished throughout the requirements process.

In short, SCVP appears best positioned for swift completion.

Based on this analysis, we are affirming the results of the strawpoll, and SCVP is *the* PKIX WG protocol for DPD/DPV. I want to encourage everyone to stay involved, even if your favorite protocol was not SCVP. We are in the home stretch, but there is still work to do.

Here is the way forward, in our view. Denis' analysis of the SCVP compliance matrix raises an initial set of questions. These issues need to be discussed on the list, and if the WG agrees that changes to SCVP are required, modifications will be proposed (by the editors, or WG membership). Once rough consensus is achieved on those issues, the editors can submit a new draft. At that point, we intend to initiate WG Last Call. Any final issues can be hammered out, then the document forwarded to the ADs.

Steve and I want to thank everyone for their participation. First, the editors should be applauded for their efforts in developing the compliance matrices. We know that was a difficult and time-consuming task. Denis' analysis of the SCVP, OCSP, and DVCS compliance matrices was a very significant contribution. Those that reviewed, commented, and voted in the strawpoll put in significant efforts as well. Finally, we need to recognize Denis and Russ for completing RFC 3379, which made it possible to complete the selection process.

Thanks,

Tim Polk

Prev by Date: Re: SMIME and disclaimers
Next by Date: Re: SkipCerts Question [RFC3280]
Previous by thread: I-D ACTION:draft-ietf-pkix-tap-00.txt
Next by thread: RE: RSA: 00: draft-ietf-pkix-rsa-pkalgs-00.txt - binding key to 1 alg
Index(es):
- Date
- Thread