ietf-mailsig
[Top] [All Lists]

Re: In response to Housley-mass-sec-review

2005-02-25 16:02:06

I think it's disingenuous to claim that MASS PKI problems have been solved when nothing on this scale has ever been deployed.

Mark
On Feb 25, 2005, at 1:07 PM, Hallam-Baker, Phillip wrote:


Perhaps you should take the time to study the developments in PKI since 1995
before publishing the draft.

In particular you should look at OCSP which entirely eliminates the issues you raise wrt CRL size and has been deployed at very large scale. You should also look at XKMS which has similar operational requirements to OCSP but provides support for the complete key lifecycle and eliminates the need for
certificates.

Clearly a key centric PKI that is built on the legacy DNS system is not
going to be as satisfactory as a PKI as a purpose built Web Service such as XKMS. There is however no reason why we cannot use DNS for the cases it can
support and migrate to XKMS for more comprehensive support.

Given that certificate revocation technology is built into Windows since Win 2000 the CA industry is well aware of the operational difficulties raised by
CRLs.

-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Douglas 
Otis
Sent: Friday, February 25, 2005 3:30 PM
To: Dave Crocker
Cc: MASS WG
Subject: Re: In response to Housley-mass-sec-review



Here is a first pass at putting together a document.  Any
feedback is welcome.

As this was completed beyond the IETF draft cutoff date,
these links reference the draft.

http://www.kelkea.com/ietf/draft-otis-mass-reputation-00.html

http://www.kelkea.com/ietf/draft-otis-mass-reputation-00.txt

-Doug






<Prev in Thread] Current Thread [Next in Thread>