RE: resolution

[Russ Housley <housley@xxxxxxxxxx>]

Steve and Carlisle:

I think this is a good resolution.

1.  I agree that CA key generations should be optional.  And, I agree with
Steve that EE key generations should also be optional.  Clearly, some
entity needs to generate the key, but the protocol does not need to dictate
which one.

2.  I look forward to the I-D from Bob and Peter.  But, I would like to see
it written as an optional extenstion to PKIX-3.  I do not think we need
another whole protocol between the same entities.

Russ

At 11:43 AM 9/10/97 -0400, Stephen Kent wrote:
>Carlisle,
>
>>>The co-chairs could perhaps now call for final arguments, and
>>>then decide the concensus position, and the actions.
>>
>>Given that over a week has gone by since you sent your message, and
>>given that not a single response has been submitted, I would guess that
>>we already have consensus:
>>
>>- CA key generation will be downgraded from mandatory to optional (which
>>means that EE key generation will be upgraded from optional to
>>mandatory, although this may be accomplished as described next);
>
>OK, downgrade CA key gen to optional.  However, let's not make EE key gen
>mandatory.  You and others gave good arguments why that is not always
>desirable from a security perspective, and how it increases EE cost.  Let's
>leave it optional and let users and CAs worry about ensuring apporpriate
>matching.
>
>>- Bob and Peter will submit an I-D (separate from PKIX-3) specifying a
>>request/response (possibly request/response/confirm) protocol for key
>>generation.  This protocol may be supported by EEs, CAs, RAs, or any
>>other entity in the PKI.
>
>OK.
>
>>Peter, Bob, Steve/Warwick, Everyone-Else:  does this sound reasonable?
>>Can I make the relevant changes in PKIX-3 and submit it for Last Call?
>
>Yes.
>
>Steve
>
>