[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SCVP-01

To: "'Ambarish Malpani'" <ambarish@xxxxxxxxxxxx>
Subject: RE: SCVP-01
From: Carlisle Adams <carlisle.adams@xxxxxxxxxxx>
Date: Wed, 25 Aug 1999 17:56:58 -0400
Cc: ietf-pkix@xxxxxxx, "'donsch@xxxxxxxxxxxxxxxxxxxxxx'" <donsch@xxxxxxxxxxxxxxxxxxxxxx>

Hi Ambarish,

> ----------
> From: 	Ambarish Malpani[SMTP:ambarish@valicert.com]
> Sent: 	Wednesday, August 25, 1999 5:23 PM
> To: 	'Don Schmidt (Exchange)'; ietf-pkix@imc.org
> Subject: 	RE: SCVP-01
> 
> Hi Don,
>     Thanks for the feedback. I find your reaction to SCVP
> perfectly reasonable. It will serve an important function for
> a particular set of users and your group might not be one of
> them.
 
Observation #1:

Don's "group" seems to represent a reasonable fraction of the world's
population...  :-)

While I believe they exist, my impression is that we're still waiting to
hear from this "particular set of users" to confirm that the functionality
embodied in SCVP is a legitimate requirement.  Don's "group" has stated that
they don't need this (at least at the moment).  Do we have concrete details
regarding who does need this?

> Let me again specify the main benefits of this protocol, as I
> see it:
> 
> - Allows applications that want to use public key cryptography
> to leverage the Public Key Infrastructure (PKI) without needing
> to understand its full complexity - SCVP lets you use certs
> and does the work of chain building, policy management and
> cert validation for you. This is both an issue of footprint
> size/processing power *and* the engineering work that needs to
> be done to understand PKIX.
> 
> - It allows for consistent/centrally managed cert policies,
> rather than requiring the policies be implemented (correctly),
> on every client desktop, across various different applications.
> 
> In some sense, you can think of the SCVP server as a remote
> COM object, that is providing certain services for you - you
> can choose to either use the service, or do all the work
> yourself.
 
Observation #2:

It strikes me that the above two paragraphs are somewhat antagonistic.  If
I, as a client device, "can choose to either use the service or do all the
work myself", then there is no possibility of consistent / centrally-managed
cert policies.  On the other hand, if devices do not have this choice (i.e.,
if devices MUST off-load the validation work to the central server), then
this itself is a cert processing policy that must be implemented (correctly)
on every client desktop.  What problem, therefore, does SCVP solve?


[Note:  don't take my observations above as necessarily "for" or "against"
this functionality.  I would just like to make sure that we, as the PKIX
group, are clear on what this protocol is trying to achieve and who the
target audience is.]

Carlisle.

Follow-Ups:
- RE: SCVP-01
  - From: Ambarish Malpani

Prev by Date: RE: SCVP-01
Next by Date: Re: Options, was Re: To Be, or NR To Be ...
Previous by thread: RE: SCVP-01
Next by thread: RE: SCVP-01
Index(es):
- Date
- Thread