[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Unsigned DPD responses for SCVP15
Given the two alternatives of:
1. An approach requiring explicit policies; or
2. Client-side assertion of a new flag as Tim proposed;
I prefer #2 for the following reasons.
The SCVP I-D asserts no requirement that a server MUST have a
unique policy. The I-D supports this by making optional all
such elements beyond the default defined by RFC3280. An
explicit OID-based approach forces the issue for servers that
wish to support unsigned DPD.
A non-trivial subset of environments don't even know what an OID
is (think credit unions), let alone the technical details of
what must go into a policy as it relates to this context. The
contents of such are not well defined. Absent that, there
exists no basis to implement correponding enforcement logic that
is ensured to be interoperable across the Internet.
The I-D provides no means for technical implementation and
enforcement of a policy-based approach; it is non-implementable.
Further, the I-D provides no means to discriminate between DPD
and DPV. Even assuming in the future a consensus on a
technically enforceable security assertion grammar, the subject
I-D defines no technical means to even say "DPD".
Mike