[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CA Rekey and CRL Validation

To: "Laudon Williams" <eldub@xxxxxxxxx>
Subject: RE: CA Rekey and CRL Validation
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 14 Sep 2004 09:03:42 -0400
Cc: <ietf-pkix@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

At 3:38 PM -0700 9/13/04, Laudon Williams wrote:

Steve,

Thanks you for your well thought-out post.

I would disagree with your statement of "overkill". Right now, today, in
2004, if you have a deployed PKI and you want to do a CA rollover, a new key
and name is 100% compatible with Microsoft OSes, RSA and Baltimore
certificate toolkits, netscape/firefox browsers, all major CAs, etc. It just
works.

The "it just works" model is usually the starting point for a path that leads to failures due to a lack of forethought.

Now there are lots of interesting academic arguments and, of course, finger
pointing arguments that can go on as to why other standards-compatible
methods don't work. But really, I don't think the people trying to be
successful with their PKI deployment really care about that.

And to the extent that these folks do not care about standards compliance, expect to use in their marketing literature, their behavior is not useful grits for a standards committee mailing list :-)

On your last point, as long as the new CA issues certificates under the same
policy and practices, who cares what its name is? Name is really a factor of
local policy. If I want to name one CA "Alice" and the next version of the
CA "Bob", who cares? Why does software need to know anything more about them
other than that they both issue under the same CP?

Names are NOT a matter of local policy in X.509. Maybe you're thinking of SPKI certs. Moreover, since your comments emphasize "practicality" phishing is a concern primarily because it relies on the trust people place in names of organizations. CAs represent organizations, hence the names are important, except in monopolistic contexts.

So really, to beat the dead horse a bit, there is a standards compliant way
to do roll over that is pretty much compatible with all the
currently-deployed software that does path processing. I'm just trying to
make sure that the people who actually care about making sure that PKI works
are aware of it.

The "making stuff work today" point of view gets lost much to often in the
PKIX minutia.

The "making stuff work today" point of view is fine so long as it is consistent with the standards. Unfortunately, all too often, that point of view is short sighted.

Steve

Follow-Ups:
- RE: CA Rekey and CRL Validation
  - From: Peter Gutmann
- RE: CA Rekey and CRL Validation
  - From: Laudon Williams

References:
- RE: CA Rekey and CRL Validation
  - From: Laudon Williams

Prev by Date: SCVP Validation OID
Next by Date: RE: CA Rekey and CRL Validation
Previous by thread: RE: CA Rekey and CRL Validation
Next by thread: RE: CA Rekey and CRL Validation
Index(es):
- Date
- Thread