[cabfpub] IETF and the Web PKI

Tim Moses tim.moses at entrust.com
Fri Aug 3 09:01:22 MST 2012


Colleagues

On (Thurs) 2 Aug I presented to the IETF Security Area Advisory Group and the Operations and Management Area open meeting.  The topic was the Web PKI.  I made the case that, for historical, scale and market-dynamic reasons, the Web PKI is different from the PKIX PKI; it isn't just a PKIX PKI that went wrong.  While it is closely based on IETF standards, it needs its own standards that deviate slightly from PKI as practiced in a large enterprise or federation of enterprises.

Forum members have repeatedly stated that they don't want to manage technical specifications in the Forum; the implication being that they prefer to use the IETF process.  Part of the reason could have been to have a clear IPR environment.  That, of course, has now changed.  Another reason could have been that IETF RFCs carry more authority (vendors are more likely to pay attention).  Another reason might have been the no-cost configuration-management support.

Anyway!  Members need to confirm that IETF is still the preferred option for technical protocol specifications.

Some of the influencers in PKIX are reluctant to accommodate the needs of the Web PKI, and (anyway) as I understand it, the PKX WG will close before the end of the year.  The security area directors have proposed the formation of a working group within the Operations and Management Area to serve the Forum's needs.  The Forum has to decide (quite quickly) if it wants to pursue this option.  An IETF mail list will be set up to discuss and (if appropriate) plan a BoF at the Atlanta meeting.  IETF will make a "go/no go" decision regarding the BoF on 24 Sep.  We should not think of a BoF as a "throw-away" or "exploratory".  It will consume significant resources and (in the words of the wedding ceremony) should not be entered into lightly, but reverently, discreetly, advisedly, soberly.

The Security Area directors have promised to make sure that discussions do not get side-tracked by the "enterprise PKI" lobby.  But we have to be clear what we want to achieve with a new working group.  Do we just want a record of how the Web PKI "actually" works?  That doesn't exist in one place at the moment.  Or, do we want to evolve the Web PKI in a way that is coordinated across all the constituents and at a pace that is practical for all involved? Key to success will be having "all" interests represented.  That includes vendors of Web servers and load-balancers as well as CAs, browsers and subscribers.  This latter objective is likely incompatible with the Operations and Management Area.  So, a rethink may be needed in the event that that direction is chosen.

I realize that the Forum is wrestling with some big organizational issues at the moment.  But, if it decides to target a BoF in Atlanta, it has to clarify quickly what it is that it hopes to achieve and get a commitment to engage, not only from its current members but also, from the other important constituents.  There are about four weeks in which to accomplish this. 

Discussions like this one should move to the new IETF mail-list once it becomes available.  

Best regards.  Tim.




More information about the Public mailing list