ietf-mailsig
[Top] [All Lists]

RE: alternate key server mechanism(s) vs. accreditation

2005-07-27 11:25:11


[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Dave 
Crocker

Anyone who thinks that the topics are somehow tied together 
should respond to THIS note, explain why and how and how to proceed.

There are the following common issues:

1) In each case we spend far more time debating whether to allow the
topic onto the agenda than on the substance of the issue. 

The proposal being kept off the table here is to add three tags to the
existing protcol:
        q=xkms          as a signature header option
        x509=<uri>              as a key record option
        x509path=<uri>  as a key record option

And to ensure that the policy mechanism etc. work correctly in
conjuction with these.

2) Any key distribution mechanism is logically capable of distributing
key attributes as well and hence can identify x.509 certs containing
accreditation data.

3) Making sure that the extension and policy mechanisms are sufficient
to handle existing known protocols is an important part of checking to
see that they work. Even if we decide not to define the q=xkms tag we
still have to make sure that the policy mechanism works for the case q
is something other than dns.

At the moment the policy mechanism does not work. It will be much
quicker fixing it if we are discussing concrete exsiting protocols that
are known quantities than engaging in abstract discussions of possible
protocols. 



<Prev in Thread] Current Thread [Next in Thread>