[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Profiles, Profiles, Profiles
I am the author of several of these profiles (MISSI and Federal PKI) and let
me say that interoperability is one of the primary objectives in this work.
We have worked closely in the past with those contributing to the PKIX and
MISPC work to ensure that there are no interoperability concerns.
Due to the general nature of X.509, I feel it is necessary that these
profiles be developed to, in fact, foster interoperability. The intent of
the profile is to standardize implementations and reduce the complexity of
certificate generation and certificate processing. That is why we feel it
necessary in the MISSI and Federal PKI profiles to provide somewhat more
detail that other profiles. We also feel that specific extensions
undoubtedly increase the security of the infrastructure, and that is why
they are explicitly "profiled in".
Also note that the profiles are not meant to be all inclusive. The profiles
for MISSI and Federal PKI (and an uncoming ISO profile) all permit
communities the opportunity to tailor and control certificate and CRL usage.
If you have any specific questions on the profiles, please feel free to
Booz-Allen & Hamilton Inc.
900 Elkridge Landing Road
Linthicum, MD 21090
From: Anil R. Gangolli
Subject: Profiles, Profiles, Profiles
Date: Thursday, February 20, 1997 9:12PM
I am aware of the following certificate, crl, and/or verification
profiles in development or existence today:
1. PEM (will be mostly obsolete, I expect, after PKIX)
2. PKIX (IETF)
4. MISPC (NIST)
5. Federal PKI (Federal PKI-TWG)
I worry that the proliferation of certificate profiles
poses a serious threat to interoperability and will
slow down the adoption and usability of PKI as a whole.
Most of these profiles specify contents requirements for
each field in the certificate, crl, etc.. Has anyone here
done a comparative field-by-field analysis of these to
see where they are in common and where they differ?
(I suppose a comparitive analysis of the verification
procedures may be harder to write down succinctly.)
Any comparative analysis would be useful both to the IETF
PKIX effort as well as these other profile efforts.
Ideally there would be one uniform profile across
the board, but barring that, at least one could hope
for (and drive toward) the minimal differences in
profiles that are needed to support any actual
differences in requirements.
Thanks in advance for any information in this area.