[cabfpub] IETF and the Web PKI

[kirk_hall at trendmicro.com]

Ben - I would also clarify to IETF and Tim Moses that the sentiment expressed on today's call was that the Forum itself did not have an interest in associating with or asking for a new IETF Web PKI working group.  

As was discussed, if individual Forum members want to do so in their own names, of course they can, but the Forum would not be participating as a body with any new group or requesting its formation.  

As Chris Bailey said today, many of us have a hard time keeping up with the Forum's own work flow, and do not want to take on another working group, IETF of otherwise.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, August 09, 2012 2:52 PM
To: 'CABFPub'
Subject: Re: [cabfpub] IETF and the Web PKI

During today's CAB Forum call we discussed the email below re: the upcoming pre-WG Birds-of-a-Feather meeting at IETF in Atlanta November 4-9, 2012.  As Tim notes below, the IETF needs a preliminary indication from our members and others in the broader community about the BoF meeting and whether we would be interested if the IETF created a mailing list named "webpkiops" to discuss Web PKI Ops, which would include certificate validity issues.  But instead of voting on this or having each of you contact IETF directly about your interest, I was wondering whether we should collect the names of those who are interested in exploring this idea further and/or participating in discussions on a new IETF mailing list if one is created.  If so, then I could forward the list to the IETF Area Directors mentioned below.

To recap, here is a summary of what might be involved: 

- OPS WGs interact with other IETF by documenting practices and requirements or use-cases that feed into the work of existing IETF WGs.  The PKIX WG is closing soon and our CABF revocation mailing list has just closed, so a new webpkiops WG could involve CAs, Browsers, hardware manufacturers, major relying parties, and others interested in recent revocation discussions.

- If CAB Forum members are in attendance at an IETF meeting, it may be possible for us to arrange space for an additional side-meeting, if we pay for it.  That might save some of our members on travel costs.

Please email if you are interested, and I will forward a list to the IETF.

Thanks,

Ben

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Tim Moses
Sent: Friday, August 03, 2012 10:01 AM
To: CABFPub
Subject: [cabfpub] IETF and the Web PKI

Colleagues

On (Thurs) 2 Aug I presented to the IETF Security Area Advisory Group and the Operations and Management Area open meeting.  The topic was the Web PKI.
I made the case that, for historical, scale and market-dynamic reasons, the Web PKI is different from the PKIX PKI; it isn't just a PKIX PKI that went wrong.  While it is closely based on IETF standards, it needs its own standards that deviate slightly from PKI as practiced in a large enterprise or federation of enterprises.

Forum members have repeatedly stated that they don't want to manage technical specifications in the Forum; the implication being that they prefer to use the IETF process.  Part of the reason could have been to have a clear IPR environment.  That, of course, has now changed.  Another reason could have been that IETF RFCs carry more authority (vendors are more likely to pay attention).  Another reason might have been the no-cost configuration-management support.

Anyway!  Members need to confirm that IETF is still the preferred option for technical protocol specifications.

Some of the influencers in PKIX are reluctant to accommodate the needs of the Web PKI, and (anyway) as I understand it, the PKX WG will close before the end of the year.  The security area directors have proposed the formation of a working group within the Operations and Management Area to serve the Forum's needs.  The Forum has to decide (quite quickly) if it wants to pursue this option.  An IETF mail list will be set up to discuss and (if appropriate) plan a BoF at the Atlanta meeting.  IETF will make a "go/no go" decision regarding the BoF on 24 Sep.  We should not think of a BoF as a "throw-away" or "exploratory".  It will consume significant resources and (in the words of the wedding ceremony) should not be entered into lightly, but reverently, discreetly, advisedly, soberly.

The Security Area directors have promised to make sure that discussions do not get side-tracked by the "enterprise PKI" lobby.  But we have to be clear what we want to achieve with a new working group.  Do we just want a record of how the Web PKI "actually" works?  That doesn't exist in one place at the moment.  Or, do we want to evolve the Web PKI in a way that is coordinated across all the constituents and at a pace that is practical for all involved? Key to success will be having "all" interests represented.  That includes vendors of Web servers and load-balancers as well as CAs, browsers and subscribers.  This latter objective is likely incompatible with the Operations and Management Area.  So, a rethink may be needed in the event that that direction is chosen.

I realize that the Forum is wrestling with some big organizational issues at the moment.  But, if it decides to target a BoF in Atlanta, it has to clarify quickly what it is that it hopes to achieve and get a commitment to engage, not only from its current members but also, from the other important constituents.  There are about four weeks in which to accomplish this. 

Discussions like this one should move to the new IETF mail-list once it becomes available.  

Best regards.  Tim.


_______________________________________________
Public mailing list
Public at cabforum.org
http://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
http://cabforum.org/mailman/listinfo/public
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.