ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: revised Proposed Charter

2005-07-25 09:49:32
from [Hallam-Baker, Phillip] [Permanent Link] 


What about DNSSEC? It's about as (in)plausible as any other 
supposed global PKI.


We already have a global PKI, its called X.509. There are close to a
million organizations authenticated.

Oh you wanted a free global PKI...

DNSSEC will arrive just as soon as there is a perceived need. Deployment
on the root is proceeding.


Tying DKIM to X.509, for example, would be a non-trival 
exercise. That and for many other reasons is why we're not doing it.


Actually it is a rather trivial exercise, as I have demonstrated a
number of times (comprehensive description to follow later).

All that you need to do is to put a note in the key record to say 'this
key is accredited via an X.509 certificate that can be obtained <here>'.


This description allows alternative values for d= based 

upon what is 

specified for "q=".  BTW, I see the "q=" tag as more of a PKI 
implementation identifier vs a "query method".


This is a relic of DK, but I think it was more intended as an 
alternate mechanism for querying for the RR -- ala IIM's KRS. 
Note that an alternate means of querying for the RR provides 
another potential way to exploit alternative PKI's since the 
query method could implicitly be, say, https where there 
needs to be some binding between the d= and the identity 
asserted in the cert for a TLS session.


Which is why q=xkms makes sense, xkms is simply a Web service that does
exactly what krs was intended to do.

It might also make sense to have q=pkixrep but that is rather more
difficult to explain.


That said, I favor the crispness of the current charter/spec: 
specs in this area have an almost perfect track record of 
flopping in large part, IMO, due to their being 
unintelligablely complex. 


Actually that is not the problem. The groups all delivered their work
products on time. S/MIME was by IETF standards a stonking success, one
of the most successful in the security area (SSL was successful BEFORE
the group was ever formed). PGP was also successful. PEM and MOSS both
delivered their goods.

And nobody used any of it.

The problem was that critical parts of the problem were left out.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: revised Proposed Charter, william(at)elan.net
Next by Date:  QUERY: Key Server Choices, Dave Crocker
Previous by Thread:  Re: revised Proposed Charter, Arvel Hathcock
Next by Thread:  RE: revised Proposed Charter, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]