Howdy Bob,
I actually want to apologize for my little outburst. I started writing
that a couple of months ago while talking to Steve Dusse and never got back
to it. Yesterday while trying to move mail between notebooks I guess it got
queued with everything else... It also looks like I might be double listed
on the pem-dev mailing list.
A large part of what I'm looking at is/has been discussed recently on
pem-dev with the e-mail name mappings. I was waiting to see what would fall
from that. A good e-mail name mapping will make it easier to retrieve
certificates from my domain name server. I remember the call a while back
about your offer/suggestion on GTE's x.500 service and will respond to
your points below.
1. We need a convenient means of distributing X.509
certificates (and CRLs).
Yep, easy to access/use x.500 services, slick UA's, mailers, domain
name service, it doesn't have to be single solution, I should be able to
configure my client application to point at the distribution method of
my choice, just like I point my mailer at my POP server of choice, or my
resolver at my BIND server of choice.
2. Until we have some slick PEM/mailer/X.500 UAs,
we need a convenient way of specifying the user's
email name and the certificate that is to be used.
I should think that any convenient way of specifying an
entities certificate should carry on even after we have
slick solutions in place. Many of those slick solutions
will probable rely on this, convenience.
I believe that public X.500 services will be available
to support X.509 certificates and CRLs, perhaps within
the next six months, at least on a trial or pilot basis.
I believe they will become available, but am slightly more skeptical
as to the time period. Even though the net is supposed to be the
great equilizer (for geographical purposes) we're still awfully
isolated out here.
So let me ask you some speculative questions (these are
just questions, not a committment):
I remember the original post and understand the reason for
the caveat.
1. Suppose that GTE Labs were to offer a free X.500
service on a pilot basis for at least a year, while we
evaluate the feasibility of offering it on a commercial basis.
sounds good, some organizations may not be able to take advantage
of this, but it certainly would help kick start others.
2. Suppose also that all you had to do to deposit your
certificate in the X.500 directory (once it was signed by
your CA -- that's your problem) was to send a signed
e-mail message requesting such a listing that included
your certificate(s). (Ultimately maybe your MasterCard
number as well, but we'll get to that issue later.)
Sounds like a good start at an electronic commercial service. And
of course you can verify my certificate from my CA's key.
3. Would we have to provide the DUAs necessary to make
such a scheme usable, or are there a sufficient number
of public domain or other DUAs already available?
Should probable consider both. Take mail for example, some
people like to buy their solution, some like to get it on
the net. They're still happy to have mail. The
ones that aren't happy are those that are stuck with some
one elses choice of service.
4. Would users be willing and able to integrate
such a DUA with their mailers, etc., or would we have to
wait for the Lotus/Microsoft/Novell crowd to bring out
a professionally integrated product?
Again this is a both, IMHO the better software is found
on the net either free or at a nominal fee. They tend to
be better maintained and less buggy.
5. Does you have a feel for what a user might be
willing to pay, either to have a certificate posted, or
to retrieve someone else's certificate (and presumably
their e-mail address, and whatever else might be made
available?
I recall reading about the NIST/Air Force vs. PKP flap over
the use of public keys and digital signatures. The
article made some mention that the PKP folk were willing to look
at about a buck a certificate to be considered fair compensation
(pretty reasonable when you figure a cert will probable last at least
a year, heck the government could probable purchase certs for all it's
internet users and still save more money than most software design reviews
cost, and we know the certs work). Your prices should probable be in
line with whatever is being charged for certificates.
6. Is there any indication that X.500 would NOT be
he preferred solution? Other than price?
Nah, nah, nah, my solution's better than yours. There's still a
big bunch of people that aren't going to hop on a X.500 solution
(right or wrong). I suppose it depends on where you live and
who you work for (parental upbringing, genetics, etc). Providing a service,
even on a trial basis may not help a chunk of government folks.
Hop back to the CA hierarchy, even though there are pockets in the
government purchasing CA's in a commercial hierarchy, these are for test
or prototype purposes. Ultimately the government is going to have
to have their own heirarchy, so are other nation states, I got the
impression that that's something they saw come out in the PASSWORD
project.
o o o o o o o .... _____________________________=======___________
o _____ ||Dr. Mark Oliver |
|oli(_at_)bambam(_dot_)inel(_dot_)gov |
.][__n_n_|DD[ ====____ |Scientific Computing | |(208) 526-9952 |
>(________|__|_[_INEL___]_|EG&G Idaho, Inc.______|_|_FAX:_526-9908_______|_
_/oo OOOOO oo` ooo ooo 'o^o^o o^o^o` ' o^o^o` o^o^o`
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Idaho National Engineering Laboratory, Idaho Falls, Idaho, 83415.