Your message (attached and abridged) is based on some faulty assumptions.
The PSRG is not "in charge" or "in control" of either PEM or the pem-dev
list. (Sometimes we wish we were.) Last year, at the time of the Atlanta
IETF, the PSRG passed responsibility to a new PEM Working Grouup in the
IETF. This WG is open to anyone who wants to attend an IETF, and *PLENTY*
of people have! However, less then half of the PSRG members participate in
the IETF at all, although we are all still interested in what it does.
When PEM went to the IETF, people there (particularly some IAB members)
fundamentally changed RFC 1114 from the way the PSRG had written it. That
entire IETF entire process is and has been open and international, with
both electronic and printed minutes. The PEM WG worked on the draft
standards in Atlanta, Santa Fe, San Diego, and Cambridge.
Now, after those four IETFs, RFCs 1113, 1114, and 1115 have been changed to
Historical status. New Internet-Drafts have been published. They are in
the hands of the IETF Area Director for Security, Steve Crocker
(crocker(_at_)tis(_dot_)com), who is supposed to pass them to the Internet
Engineering
Steering Group (IESG), which in turn is supposed to pass them to the IAB.
The pem-dev list, orginally set up to exchange information among PEM
developers, became the official mailing list for the PEM WG of the IETF
(see any copy of IETF minutes). You should address your comments there.
Also, in the IETF standards process, there is always an open, last call for
comments at each stage of advancement. Don't miss your chance.
-------------------------------------
To: shirey(_at_)mitre(_dot_)org
...
Subject: A professional note
Date: Wed, 14 Oct 92 19:03:42 +0100
From: Peter Williams <P(_dot_)Williams(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk>
Hi Rob,
...
If a certain amount of antagonism comes thru my language towards the
model behind RFC1114, then its my fault; I do feel it ... .
I believe much of the on-going underlying problem can be resolved, thankfully.
That PEM security/certification policy is not THE ONLY respected way of
thinking about X.509 in practice, should be, simply, discussed by PSRG on
pem-dev - which leads this whole field.
... A distinct section of the
research community just does not (rightly or wrongly) trust PSRG
members; the most obvious indication being the recent vested interest
remark. And, consequently, their designs in PEM which really matter to
them: RFC1114.
Now, if my suggestion could be put across without damaging the pilot, without
discouraging user confidence in the resultant service, then PEM in its
current form can surely only go forward, with recognition awarded to those who
made it happen, AND with everyone actually possibly enjoying their mutual
criticism. Now all of this will hopefully happen anyway, though the
last clause would also be nice.
An alternative is to reiterate/reformulate the mandate of pem-dev which
should require the forum to be used only by people who agree with the
premisses of PEM, and the advice of PSRG. This would however stop
pem-dev and the PEM movement from continuing to fulfill its current
leadership of the X.509 open systems security movement.