From: Paul Hoffman / IMC <phoffman(_at_)imc(_dot_)org>
At the meeting in Washington, DC, I will ask the attendees whether we
should expand the Charter to cover this work.
I, for one, think it's just fine for this WG to take on this task. Having a
clear, open revision of PKCS 10 that works with our new certificates is a
must in my mind.
I do not believe that this WG was chartered to "IETF-standardize the
PKCS series". Instead, it was chartered to define an IETF-standard
messaging protocol based on S/MIME. We have already agreed that there
needed to be a few changes to PKCS#7 to turn it into the Cryptographic
Message Syntax (CMS). The issue is whether changes need to be made to
PKCS#10 to make it compatible with the IETF Certificate Management Protocol
(CMP, as described by PKIX part 3).
If this working group takes on this task, (I think it would be more
appropriate within the PKIX WG, but like Mike, don't have any strong
objection to pursuing it here - many of the participants are members
of both groups), then it MUST ensure that the result is compatible
with PKIX, not an independent and incompatible protocol based on
straight unmodified PKCS#10.
The PKIX working group has already considered the PKCS#7/PKCS#10 issue,
and it reached the following conclusion in Munich:
Date: Thu, 21 Aug 1997 11:58:02 -0700
From: Warwick Ford <wford(_at_)verisign(_dot_)com>
Subject: PKIX-3 and PKCS7/10
I believe we are not all on the same page regarding PKIX-3 and PKCS7/10.
For the benefit, in particular, of those on the list who were not at
Munich, let me try to summarize where we are, what happened at Munich, and
where we are going from here. (Given my affiliation, you should probably
consider this a personal posting - not a statement as Co-Chair.)
[lots of explanation snipped]
So, that's where we are. PKIX-3 appears technically ready to at least be
issued for WG last call. (Editorial and, possibly, technical improvements
are not ruled out in the last call stage.) Proponents of the PKCS
protection alternative have been encouraged to proceed with the development
of a PKIX-3 supplement which is an interpretation of PKIX-3 messages over
PKCS7 (using the Myers et al I-D as a starting point), in conjunction with
resolving the various technical and administrative issues surrounding PKCS7
and PKCS10 themselves.
Hope this helps fill in the picture,
Note the key last sentence - "an interpretation of PKIX-3 messages over
PKCS7". This means that any usage of PKCS#10 certificate requests MUST
be in the form of PKIX-3 "p10cr" messages, in order to allow implementors
to quickly develop "Basic functionality" certificate request messages
based on existing technology, while remaining compatible with, and allowing
smooth migration to, the "Full functionality" (and more difficult to
If this WG adds a certificate request work item to it's charter, it
should be clearly stated that the result must be compatible with
PKIX CMP, not an independent, non-interoperable syntax based on raw