Mark,
If I could summarize the problems that seem to be facing us,
they would seem to be the following:
1. We need a convenient means of distributing X.509
certificates (and CRLs).
2. Until we have some slick PEM/mailer/X.500 UAs,
we need a convenient way of specifying the user's
email name and the certificate that is to be used.
3. There are a number of applications that need X.509
certificates that are not mail based, and may not even be
Internet based or compatible. Examples would include a
number of forms packages and EDI applications.
The architecture behind most of these products and
applications assumed the existance of X.500.
Unfortunately, there is a chicken and egg problem here.
Various X.500 systems are available and can be used by
private companies, but in order to make them very
useful, they need to be hooked up to public ADDMDs.
Because we have a competitive environment in the US,
it is necessary to devise a mechanism to share the global
name space, so that users can be listed by their ADDMD
of choice, without having to make that ADDMD part of
their name.
The NADF is trying to solve that problem, and directory
servers are up and running, but the data bases are not
populated yet, and the level of service is probably
not sufficiently robust for even free use, much less of
commercial quality.
I believe that public X.500 services will be available
to support X.509 certificates and CRLs, perhaps within
the next six months, at least on a trial or pilot basis.
My question is, "If we build it, will they come?"
I believe that the existing X.500 infrastructure can
be fielded at least as rapidly as any other approach,
in particular if you factor in the various security
issues of who can control updates, etc.
I think the real issue will be the availability of suitable
Directory User Agents, and the willingness of vendors
to integrate those DUAs with their applications.
So let me ask you some speculative questions (these are
just questions, not a committment):
1. Suppose that GTE Labs were to offer a free X.500
service on a pilot basis for at least a year, while we
evaluate the feasibility of offering it on a commercial basis.
2. Suppose also that all you had to do to deposit your
certificate in the X.500 directory (once it was signed by
your CA -- that's your problem) was to send a signed
e-mail message requesting such a listing that included
your certificate(s). (Ultimately maybe your MasterCard
number as well, but we'll get to that issue later.)
3. Would we have to provide the DUAs necessary to make
such a scheme usable, or are there a sufficient number
of public domain or other DUAs already available?
4. Would users be willing and able to integrate
such a DUA with their mailers, etc., or would we have to
wait for the Lotus/Microsoft/Novell crowd to bring out
a professionally integrated product?
5. Does you have a feel for what a user might be
willing to pay, either to have a certificate posted, or
to retrieve someone else's certificate (and presumably
their e-mail address, and whatever else might be made
available?
6. Is there any indication that X.500 would NOT be
he preferred solution? Other than price?
Bob