[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Policies - Standardization of

To: "Al Arsenault" <awa1@xxxxxxxxxxx>
Subject: Re: Certificate Policies - Standardization of
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Sat, 15 Mar 2003 16:01:19 +0100
Cc: <steve.hanna@xxxxxxx>, "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>, <chris.gilbert@xxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <> <> <> <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Al,
My intention was to put this thread to rest a while but since you are
new in this discussion I make an exception :-)

The problem is that since DoD (as you say) believe they have
"unique" requirements, they are in the same league as the EU, 
the banks, the health-care sector etc etc.

Therefore there will never be a standard but a lot of profiles.
In my opinion this makes policy extensions less suitable as a
universal method for automatic decisions on trust, selection etc.

I.e. DoD may claim they are following a "standard" but from
a pragmatic point of view their system may be classified as
"proprietary", as well as likely to work badly when the DoD
is to communicate digitally with the outside world.

In addition to various organizations' claim of having "unique"
requirements, the number #1 problem is to identify a subject
in a cost-efficient and trustworthy way and then assign an 
electronic identity to it.  Since countries like the USA don't
have a working "registry", biometric methods are still in
their infancy, and there exist no generally accepted way to
name people, I don't think even a minimal technical foundation
is in place to support globally standardized policies.

I have had some contacts with US e-government reps. who still
don't seem to have a clue on how to name citizens.  This
contrasts a bit to the Swedish system which was established
some 40 years ago and PKI-fied since at least 7-8 years back.

In the mean-time (next 5-10 years) most organizations will probably
rely on the de-facto standard (CA <==> Policy), which unfortunately
makes an already unlikely future policy-based standard, even harder
to deploy.

OTOH: Shouldn't RPs be the prime target for PKI improvements
rather than CAs?  But for RPs the de-facto standard is simpler to get
a grip on than introducing yet another dimension.

To further complicate things, many of us also have "vested interests"
in certain designs and associated customers.  F.Y.I.  I can tell you,
that I am actively working on a PKI-scheme where the CA is a core
PKI-object holding policy, logotype, name-space declarations, and
a liability statement.  The point with this is to convert PKI into
self-describing objects, aligning  better to the solutions and standards
used in other IT-segments.  This scheme is explicitly designed to allow
run-time interpretation as well as supporting administrators during
CA trust decision processes.  To make this reasonable possible to
ever rollout (my main concern regarding any system, standard etc),
the proposed scheme is upwardly compatible with the de-facto standard,
effectively only converting some data from being "implicit" ("known")
to become "explicit".

Anders

References:
- Re: Certificate Policies (was Re: Trivial PKI Question)
  - From: Anders Rundgren
- Re: Certificate Policies (was Re: Trivial PKI Question)
  - From: Steve Hanna
- Re: Certificate Policies (was Re: Trivial PKI Question)
  - From: Anders Rundgren
- Re: Certificate Policies
  - From: Richard Levitte - VMS Whacker
- Re: Certificate Policies
  - From: Anders Rundgren
- Re: Certificate Policies
  - From: Al Arsenault

Prev by Date: Re: draft-ietf-pkix-rfc2510bis-07.txt : IAK(Initial Authentication Key)
Next by Date: Which Subject name type is more secure
Previous by thread: Re: Certificate Policies
Next by thread: Re: Certificate Policies (was Re: Trivial PKI Question)
Index(es):
- Date
- Thread