[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: apologies and comments on SCVP

To: <Mary_Ellen_Zurko@xxxxxxxx>, <ambarish@xxxxxxxxxxxx>
Subject: RE: apologies and comments on SCVP
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Fri, 27 Aug 1999 08:49:53 -0600
Cc: <ietf-pkix@xxxxxxx>

Nicely put, Mary Ellen, and a fair question.

It reminds me of some of the early SPKI justification, which put
a very high value on ease of implementation, as though Internet
protocols and applications were still being written by slave-labor 
grad students with few if any tools (such as ASN.1 compilers
or libraries).

Protocols are very expensive.  They take network resources,
where someone, at least, is effectively paying by the bit,
over and over again.  And protocols necessarily introduce
latency into the World Wide Wait-a-little-longer. And they burden
servers or other concentration points with computational demands
that are expensive and not easily met.

Libraries, on the other hand, are purchased, not rented, and after
depreciating the NRE are quite economical.  And because 
those libraries only have to service one human user, who can
only push the bottoms so fast, they really don't have to be all that
speedy. (I remember when I thought that 1200 baud was incredibly
fast, because I had difficulty keeping up with the incoming messages 
on the screen.)

So by and large, the CPU speed for such applications is irrelevant, 
and it is very difficult to imagine an application that couldn't verify 
a digital signature faster than it could send it off to a server to be
done for it. So all really talking about is the amount of memory that is
required, and it cost.

More than 30 years ago, one of my IBM-SRI instructors was preaching 
that despite the fact that IBM priced their machines as a percentage of 
component cost, and therefore adding more memory added a lot to the 
price of a computer, the development cost of trying to shoehorn applications
into too small memories was a lot more costly.

Now of course, people probably have more memory in a digital watch than
we used to have in mainframes back then, and a single chip contains 
1 to 4 megabytes or more, with very little discount for less memory.

So I'm still curious to learn exactly what kinds of applications really need 
these functions, and what the business justification is.

Bob

>>> <Mary_Ellen_Zurko@iris.com> 08/27/99 05:54AM >>>
Hi Ambarish,

> ClientType1 basically wants to be able to use public key
> cryptography (and the PKIX infrastructure), without needing to
> understand all of PKIX part1, OCSP, LDAP etc. It is outsourcing
> the task of checking cert status, cert expiry, policy management
> etc to the SCVP server. The main question ClientType1 is asking
> is: "Hey, I got this cert, can I use it for application X?".
> The minimal response the server needs to provide is a signed
> yes/no. If you throw away all the extra stuff, you essentially
> have the client sending in a cert and getting back a yes/no
> answer.

Why is the best answer to this need a protocol instead of a library? It
seems if this is a technical need, you could craft a nice library with
simple APIs to do this.
     Mez

Prev by Date: Re: Multi-national company listing issues
Next by Date: Re: Multi-national company listing issues
Previous by thread: RE: apologies and comments on SCVP
Next by thread: RE: apologies and comments on SCVP
Index(es):
- Date
- Thread