[cabfpub] IETF and the Web PKI

Ben Wilson ben at digicert.com
Thu Aug 9 21:51:41 UTC 2012 

During today's CAB Forum call we discussed the email below re: the upcoming
pre-WG Birds-of-a-Feather meeting at IETF in Atlanta November 4-9, 2012.  As
Tim notes below, the IETF needs a preliminary indication from our members
and others in the broader community about the BoF meeting and whether we
would be interested if the IETF created a mailing list named "webpkiops" to
discuss Web PKI Ops, which would include certificate validity issues.  But
instead of voting on this or having each of you contact IETF directly about
your interest, I was wondering whether we should collect the names of those
who are interested in exploring this idea further and/or participating in
discussions on a new IETF mailing list if one is created.  If so, then I
could forward the list to the IETF Area Directors mentioned below.

To recap, here is a summary of what might be involved: 

- OPS WGs interact with other IETF by documenting practices and requirements
or use-cases that feed into the work of existing IETF WGs.  The PKIX WG is
closing soon and our CABF revocation mailing list has just closed, so a new
webpkiops WG could involve CAs, Browsers, hardware manufacturers, major
relying parties, and others interested in recent revocation discussions.

- If CAB Forum members are in attendance at an IETF meeting, it may be
possible for us to arrange space for an additional side-meeting, if we pay
for it.  That might save some of our members on travel costs.

Please email if you are interested, and I will forward a list to the IETF.

Thanks,

Ben

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Tim Moses
Sent: Friday, August 03, 2012 10:01 AM
To: CABFPub
Subject: [cabfpub] IETF and the Web PKI

Colleagues

On (Thurs) 2 Aug I presented to the IETF Security Area Advisory Group and
the Operations and Management Area open meeting.  The topic was the Web PKI.
I made the case that, for historical, scale and market-dynamic reasons, the
Web PKI is different from the PKIX PKI; it isn't just a PKIX PKI that went
wrong.  While it is closely based on IETF standards, it needs its own
standards that deviate slightly from PKI as practiced in a large enterprise
or federation of enterprises.

Forum members have repeatedly stated that they don't want to manage
technical specifications in the Forum; the implication being that they
prefer to use the IETF process.  Part of the reason could have been to have
a clear IPR environment.  That, of course, has now changed.  Another reason
could have been that IETF RFCs carry more authority (vendors are more likely
to pay attention).  Another reason might have been the no-cost
configuration-management support.

Anyway!  Members need to confirm that IETF is still the preferred option for
technical protocol specifications.

Some of the influencers in PKIX are reluctant to accommodate the needs of
the Web PKI, and (anyway) as I understand it, the PKX WG will close before
the end of the year.  The security area directors have proposed the
formation of a working group within the Operations and Management Area to
serve the Forum's needs.  The Forum has to decide (quite quickly) if it
wants to pursue this option.  An IETF mail list will be set up to discuss
and (if appropriate) plan a BoF at the Atlanta meeting.  IETF will make a
"go/no go" decision regarding the BoF on 24 Sep.  We should not think of a
BoF as a "throw-away" or "exploratory".  It will consume significant
resources and (in the words of the wedding ceremony) should not be entered
into lightly, but reverently, discreetly, advisedly, soberly.

The Security Area directors have promised to make sure that discussions do
not get side-tracked by the "enterprise PKI" lobby.  But we have to be clear
what we want to achieve with a new working group.  Do we just want a record
of how the Web PKI "actually" works?  That doesn't exist in one place at the
moment.  Or, do we want to evolve the Web PKI in a way that is coordinated
across all the constituents and at a pace that is practical for all
involved? Key to success will be having "all" interests represented.  That
includes vendors of Web servers and load-balancers as well as CAs, browsers
and subscribers.  This latter objective is likely incompatible with the
Operations and Management Area.  So, a rethink may be needed in the event
that that direction is chosen.

I realize that the Forum is wrestling with some big organizational issues at
the moment.  But, if it decides to target a BoF in Atlanta, it has to
clarify quickly what it is that it hopes to achieve and get a commitment to
engage, not only from its current members but also, from the other important
constituents.  There are about four weeks in which to accomplish this. 

Discussions like this one should move to the new IETF mail-list once it
becomes available.  

Best regards.  Tim.


_______________________________________________
Public mailing list
Public at cabforum.org
http://cabforum.org/mailman/listinfo/public

More information about the Public mailing list