RE: Comments on [MANDATORY cert discovery capabiity]

[Carlisle Adams <carlisle.adams@xxxxxxxxxxx>]

Peter,

>----------
>From: 	Peter Williams[SMTP:peter@verisign.com]
>Sent: 	Friday, September 19, 1997 5:46 PM
>To: 	Arsenault, Al W.
>Cc: 	ietf-pkix@tandem.com
>Subject: 	Re: Comments on [MANDATORY cert discovery capabiity]
>
I would personally remove from PKIX-III the "alternative directory
>protocol" and
>certificate/CRL distribution service it evidently forces on the world,
>where said messeging is not for the above purposes.
>
>At least make it non-mandatory. 
>
>"  4 Certificate/CRL discovery operations: some PKI management
>operations result in the publication of certificates or CRLs:
>  4.1 certificate publication: Having gone to the trouble of producing
>a certificate some means for publishing it is needed.  The "means"
>defined in PKIX may involve the messages specified in Sections
>3.3.13 - 3.3.16, or may involve other methods (LDAP, for example) as
>described in the "Operational Protocols" part of this series (see
>[PKIX-OP]).
>  4.2 CRL publication: As for certificate publication. "
>
>But thankyou - I had never previously understood the relevance of
>these messages to internet clients other than for simple notice/alert of
>future status. I had never realised the capability
>could be diverted for use to administering centralised access control
>(and uses therefore) to keys at remote EEs via its management of compromise
>status, and its mandatory status.
>
>yes - it seems that the 3.3.13 - 3.3.16 are attempting to
>force PKIX-3 conforming implementations to adopt a
>capability for users to use a non-directory mechanism for
>certificate and CRL distribution.
>
>I argue  hat this must be optional, for reasons along
>many of the same lines that centralised key gen was made
>optional. 
>
>I am not in major disagreement; however certificate discovery support
>should be removed from mandatory requirements. 
>
>This is good discussion - we can now seemingly remove another mandatory
>service element
>designed for an atypical environment, though allow it to be optional.
>
>Anyone disagree with a motion to remove mandatory status from cert discovery
>service elements current required for conformance to PKIX-3?

I can't emphasize enough how helpful it would be to all of us if you
would read what the document actually says before inventing something
and repeating it at least seven times (as in the excerpts above from
your previous posting).

Nothing in the document states or even suggests that the certificate or
CRL announcement PKIMessages are mandatory.  Again I point you to
Section 4 and Appendix B which profile the PKI management functionality,
and corresponding PKIMessages, that MUST be supported.  Again I ask you
to notice that certificate announcement and CRL announcement are not
there (i.e., they do not need to be supported by conforming
implementations).

Perhaps you might also look at 3.3.14 and 3.3.16, which specifically use
the word "may" rather than "must".  Perhaps you might also read the note
given in 3.3.14, which says that the only reason the certificate
announcement message exists at all is to cover those environments (if
any!) in which there is no other way to publish certificates  --  in
other words, if you have another way to publish certificates, use it
instead of this.  Perhaps you might even look more carefully at the
bullet points 4.1 and 4.2 from Section 1.3 (which you quoted above) that
say that either 3.3.14 / 3.3.16 *or* the methods given in PKIX-OP can be
used for certificate and CRL announcement (and in fact even this text
uses the word "may", thus allowing for other options as well).

Can you reproduce (and defend) the line of reasoning that led you to
believe that 3.3.14 and 3.3.16 are mandatory?  I would be willing to
correct any text that leads to such a conclusion, but at the moment I
can't find any text that needs correction...


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------