>From: jueneman <jueneman%wotan(_at_)com(_dot_)gte>
>Subject: Re: Re: identifying attribute types
>Date: Fri, 03 Dec 93 17:43:52 EST
>In the meantime, I will try to at least comprehend what you are saying, and
>try to decide whether we are in violent agreement or not. If you have any
>further thoughts or comments, please pass them on.
I know and understand the context of your work; Im convinced by virtue
of having read your contributions to this list, you are the right
person to do this sort of projective analysis. There is a world of
X.509 beyond PEM, however there is also a clear role for PEM class of
technology as currently defined. (I accept that many of the naming,
schema and liability arrangements have been left as a matter of good
judgement, on the basis thats its necessary to gain consensus in this
community, rather than impose the simple dominance rules of military
messaging designs which deal with the same issues.)
We have, as a group, to be self-protective to ensure that deliberations
and debate which seek to extend the role of PEM do not undermine
confidence in the assurance of PEM to actually do now what it sets out
to do. PEM clearly lays out a system for trsuted key distribution
entailing privacy services. Neither peer-entity authentication services
nor third-party authentication services have to adopt the same
stringencies. It is quite possible to organize one huge CA covering
each residential person in the US - where the dominance properties of
1422 are not required in order to maintain the integrity of a
distributed authentication domain.
I believe we two are separated ON THIS LIST ONLY between discussing the
very-fine tuning of the systems supporting PEM for use in massive
deployment now, versus how the design properties of RFC 1422 might be
aligned as a component of, or used as a basis of, a US federal policy
on a residential authentication infrastructure, and/or privacy
infrastructure.
Perhaps we need direction from the chair on how we might separate these
two threads. I dont want to see PEM isolated in terms of US federal
policy formation; I do want to see its existing services deployed now;
I want to form an evolution path for the Internet authentication and
privacy services; I want Federal service providers to be interacting
wit hthe Internet providers. and, of course the system organization
which meets all of those desires must be clear in the assignment of
liability to a legal standard.
Can we really use pem-dev for these topics? Im worried that the topics
fall out of scope of the WG, or else they contradict with the Internet goals?
I have lots to say about the issues you raise; Ive limited
myself to suypporting only standards-track activities to date,
despite wanting also to re-engineer PEM's properties to support
services which it doesnt currently address. The technical statements
of my last few mails laid out the way of thinking which enables
PEM to be used and deployed now for the purposes for which it
was intended. I was not arguing that the points you put are
invalid in non-PEM services circumstances.