[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Yes, and remove more of the alphabet from the PKIX soup

To: "'Phillip M Hallam-Baker'" <pbaker@xxxxxxxxxxxx>
Subject: RE: Yes, and remove more of the alphabet from the PKIX soup
From: Carlisle Adams <carlisle.adams@xxxxxxxxxxx>
Date: Tue, 16 Feb 1999 15:06:40 -0500
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hi Phill,

Thanks for the e-mail; it's always fun to see stuff from you on the list.

> ----------
> From: 	Phillip M Hallam-Baker[SMTP:pbaker@verisign.com]
> Sent: 	Tuesday, February 16, 1999 11:26 AM
> To: 	Carlisle Adams; Flanigan, Bill; 'Eric Bomarsi'
> Cc: 	'Al Arsenault'; ietf-pkix@imc.org
> Subject: 	RE: Yes, and remove more of the alphabet from the PKIX soup
> 
> In any case many folk 
> I have spoken to are under the influence of all sorts of bizare beliefs,
> 
If you'll forgive the personal advice, it seems to me that you might want to
be more careful about who you talk to...  :-)

> if we are meant to reject 'Popes, Kings and voting' then perhaps
> we can also leave out unsourced opinion polls?
> 
Fair enough.  Given that I don't have time to track people down and get
their permission to quote them before responding to you, feel free to
pretend that everything I said is my own personal opinion.  How, exactly,
does that affect its truth value? 

> If you can provide concrete suggestions for how we can overcome the
> undefined shortcommings you see in CMC you should send them to the
> list. 
> 
The shortcomings in CMC are hardly "undefined" -- I have harped on them at
every IETF meeting for the past year and a half and sent a relatively
detailed posting on the latest draft to the list last December.  As a result
of these efforts and those of a number of other people, the specification is
now much improved.  Is it possible that you have missed some of these
discussions and activity?

> I don't understand the point you are making regarding DNS and OCSP.
> Clearly OCSP is one option for certificate revocation - but nobody
> is suggesting that if you use CMC then you must also use OCSP. 
> 
I agree.  Nobody is suggesting this (including me).

> Equally there is no bar to users of CMP using OCSP 
> 
Agreed again.  Perhaps you missed my sentence about mixing and matching the
protocols and technologies in the different environments...

> (except to the
> extent that the only vendor of CMP products does not at 
> present support OCSP).
> 
It seems that you have missed recent vendor announcements.  There are now
several vendors supporting CMP (they are in the midst of active
interoperability trials), and at least some of those have talked about
supporting OCSP as well. 

> Nor is anyone proposing that DNS is an alternative for X.500/LDAP,
> DNS is not a certificate repository! 
> 
Isn't this at least one of the things that DNSsec is all about?


In any case, the only point of my previous posting was that certificate
management in the Internet is not yet a solved problem.  It's getting there,
but it's not quite there yet.  Some enterprise environments cannot afford to
wait; fortunately, with some of these alternative mechanisms, they don't
need to.

Carlisle.

Prev by Date: RE: Finding PKIX Servers!
Next by Date: Re: Comments to Qualified Certificates draft
Previous by thread: RE: Yes, and remove more of the alphabet from the PKIX soup
Next by thread: Comments to Qualified Certificates draft
Index(es):
- Date
- Thread