A quiet word from the OPS AD. (and I'm sure I'm using all of the buzz words
incorrectly - but such is often the way with us OPS types, we just do it,
leaving the formal tags to others)
I'd just as soon see progress on authentication support technologies that can
be deployed with as much speed as possible.
I've been watching PEM from the sidelines for quite a while and, while I think
that a full hierarchy of trust is critical for a class of functions (remote
retrieval of student records for example) There are quite a wide range of
functions that can be fully implemented using bilateral agreements (as most of
the current EDI world seems to work) or the inclusion of extra information in
the record (e.g. a credit card number).
The implementation and support requirements inherent in the use of a full
authentication hierarchy have, so far, proven to be a major inhibition to the
adoption of badly needed functionality. Even when the hierarchy
infrastructure is in place, I see a long period of refinement in the required
operational support procedures.
bottom line:
The Internet has two separate types of needs for authentication mechanisms.
Many functions can be fully realized using simple N party trust models.
Some functions require full trust hierarchy.
There has been little progress in deploying the enabling technologies required
for full trust hierarchies.
We can't wait much longer.
suggestion
There are two separable sets of requirements. I don't think the existing PEM
working group properly addresses both sets of requirements.
Continue to develop the X.509 type hierarchy model using the current PEM
working group. This group could continue to rely on DNs as the basis of
identification with the knowledge that the implementation of a support
infrastructure for DNs will take time and includes a large number of currently
unknown operations issues.
Create a separate working group to develop technologies that rely on simple
N-party trust mechanisms. This group should rely on the identification
processes normally used in the operational Internet, i.e. the FQDN and have as
its primary objective to define things that can be deployed in a short period
of time.
Scott