>From: jueneman <jueneman%wotan(_at_)com(_dot_)gte>
>Subject: IETF and NADF (was Re: StrongAuthenticationUser
>Date: Wed, 09 Mar 94 19:21:23 EST
>Peter,
>
>>I don't think we are progressing the PEM RFCs on the standards path.
>
>??
pm-dev is a pretty open forum, but does have a process and an aim - to
get its various formal documents to the status of Internet Standards. There
are rules. The current status is RFC, and the IAB has to decide whether
the proposal is mature and represents concensus.
Im not sure one could describe the contensts of the last 400 pem-dev
mail as consensus. The reference implementation now denies a fundamental
gaol of the activity - the support for non-repudiation, and have
challenged the do-ability of the naming constructs!
Its hard to see PEM RFCs being adopted or recognised.
Steve Croker has taken the quite clear line now that the RFCs
have to be made to address (his version) of usability. And with
friends has made proposals. Now we have to start to decide. We
can't chatter for ever.
>
>>1) IETF activities are being used to support "submissions" to the NADF -
>>private members-only commercially-driven group. This is just wrong. The
IETF
>>should only work from NADF published documents and statements. Liason is
>>fine, interworking is not.
>
>I don't understand what you are saying at all. Are you suggesting that I am
doing
>something "wrong" by addressing the needs of the PEM community and/or
>other PKC users within the NADF, and vice versa? I am not a member of the
>IETF, and don't pretend to represent them or their position in any context.
>GTE has joined the NADF, and I am a delegate, but I would not pretend to
>represent them in any capacity either. but I believe that Steve Kent made
the
>decision long ago that this list need not be closed to IETF members, and I
have
>been working on that assumption ever since.
You are a member of the IETF Bob! Whilst, much of pem-dev is idle chatter
between
interested parties, you are one who make quite specific proposals for change.
And thats the way the IETF works! You are quite superb mailing-list member,
there
is no initiation, or joining!
Perhaps I was a bit hard on you re the NADF. just be careful, that most of
us can't see what the NADF is doing by virtue of their being
a closed community.
>To put it bluntly, who is the area director, and who made him (or her) God?
>X.500 is a joint CCITT/ISO standard. Does the IETF intend to declare war
>on the United Nations, under whose sponsorship these standards are
>developed? I don't understand.
Steve Crocker is the area director for all IETF security activities. He
knows alot about what make the internet style of doing things tick. He
also has strong technical opinions in his own right. Area directors have
specific responsibilities.
>
>>D) Perhaps Bob will reconsider publishing his ongoing "redesign
>>of authentication syntax and semantics" as an I-D, rather than putting
>>it through the NADF?
>
>I think you are putting me on? I have suggested revisions to the PEM
>technical community regarding the content of certain X.500 attributes,
>notably the structure of X.509, and more recently regarding extensions
>to the X.521 definition of StrongAuthenticationUser object class. Why
>do you think that deserves an Internet Draft, particularly before any
>reasonable amount of concensus has been achieved?
The concept of I-Ds was introduced to enable the distribution of complete
statements of positions/proposals. Concensus happens by their
refinement into RFCs thorough peer evaulation. This is the process
we are all actually involved in here - theough it may be hard
to see through all the text.
>
>Now, if you are suggesting that the IETF might respond to such an I-D
>with a formal defect report to CCITT/ISO, I might be much more willing
>to consider such an effort!
think of it this way - make it actually work in the internet, then
ISO will pick it up anyway.
>Right now I am just floating a trial balloon, and seeking feedback and
concensus
>as to what such an object class should look like. I can't wait three years
for
>CCITT/ISO to make up their collective minds on such issues -- I want to get
>on with it.
Good. there are FYI and RFC on gopher to tell you how to write trial balloons
up in the required form - just like Rhys did. its just
a bit of (UNIX) reformatting for your existing text, which
can then go into the peer-review process. (if ID-s dont progress, then they
automatically die; think of an I-D as a conference paper outline which
may well get rejected, or accepted...)
>
>Your comments, based on your obvious knowledge of the various standards
>initiatives, would be most welcome.
Like you, I like the IETF because it actually does something. However,
those who shout the most often have their way in open communites; a minimal bit
of
due process stops the excess.
pem WG currently consists of 4-5 positions being written over and over again,
based
on personal prejudices. I volunteered a bit of process to cut down the noise,
which
is becoming wearysome. Other protocols with more services than, and less
services than, PEM are gaining ground all the time, without a doubt. PEM
is in danger of being overrun by the enemy!
But things are looking brighter. Sufficient concensus has been
generated to get ID-s into place for the EN and self-signed concepts. I
dont personally see why PEM shouldnt facilitate just data origin authentication
service, providing messaging users can differentiate such protocol
elements from those supporting proof and non-repudiation services.
Now someone needs to volunteer to write a replacement for (delta of)
RFC 1422 - which is what essentially RSA DSI have said they would do, I
think!
>
>Bob