[cabfpub] IETF and the Web PKI

Hill, Brad bhill at paypal-inc.com
Thu Aug 9 22:07:34 UTC 2012


Ben, please add Jeff Hodges and myself.

Brad Hill
Ecosystem Security
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad

On Aug 9, 2012, at 2:52 PM, "Ben Wilson" <ben at digicert.com> wrote:

> During today's CAB Forum call we discussed the email below re: the upcoming
> pre-WG Birds-of-a-Feather meeting at IETF in Atlanta November 4-9, 2012.  As
> Tim notes below, the IETF needs a preliminary indication from our members
> and others in the broader community about the BoF meeting and whether we
> would be interested if the IETF created a mailing list named "webpkiops" to
> discuss Web PKI Ops, which would include certificate validity issues.  But
> instead of voting on this or having each of you contact IETF directly about
> your interest, I was wondering whether we should collect the names of those
> who are interested in exploring this idea further and/or participating in
> discussions on a new IETF mailing list if one is created.  If so, then I
> could forward the list to the IETF Area Directors mentioned below.
> 
> To recap, here is a summary of what might be involved: 
> 
> - OPS WGs interact with other IETF by documenting practices and requirements
> or use-cases that feed into the work of existing IETF WGs.  The PKIX WG is
> closing soon and our CABF revocation mailing list has just closed, so a new
> webpkiops WG could involve CAs, Browsers, hardware manufacturers, major
> relying parties, and others interested in recent revocation discussions.
> 
> - If CAB Forum members are in attendance at an IETF meeting, it may be
> possible for us to arrange space for an additional side-meeting, if we pay
> for it.  That might save some of our members on travel costs.
> 
> Please email if you are interested, and I will forward a list to the IETF.
> 
> Thanks,
> 
> Ben
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Tim Moses
> Sent: Friday, August 03, 2012 10:01 AM
> To: CABFPub
> Subject: [cabfpub] IETF and the Web PKI
> 
> Colleagues
> 
> On (Thurs) 2 Aug I presented to the IETF Security Area Advisory Group and
> the Operations and Management Area open meeting.  The topic was the Web PKI.
> I made the case that, for historical, scale and market-dynamic reasons, the
> Web PKI is different from the PKIX PKI; it isn't just a PKIX PKI that went
> wrong.  While it is closely based on IETF standards, it needs its own
> standards that deviate slightly from PKI as practiced in a large enterprise
> or federation of enterprises.
> 
> Forum members have repeatedly stated that they don't want to manage
> technical specifications in the Forum; the implication being that they
> prefer to use the IETF process.  Part of the reason could have been to have
> a clear IPR environment.  That, of course, has now changed.  Another reason
> could have been that IETF RFCs carry more authority (vendors are more likely
> to pay attention).  Another reason might have been the no-cost
> configuration-management support.
> 
> Anyway!  Members need to confirm that IETF is still the preferred option for
> technical protocol specifications.
> 
> Some of the influencers in PKIX are reluctant to accommodate the needs of
> the Web PKI, and (anyway) as I understand it, the PKX WG will close before
> the end of the year.  The security area directors have proposed the
> formation of a working group within the Operations and Management Area to
> serve the Forum's needs.  The Forum has to decide (quite quickly) if it
> wants to pursue this option.  An IETF mail list will be set up to discuss
> and (if appropriate) plan a BoF at the Atlanta meeting.  IETF will make a
> "go/no go" decision regarding the BoF on 24 Sep.  We should not think of a
> BoF as a "throw-away" or "exploratory".  It will consume significant
> resources and (in the words of the wedding ceremony) should not be entered
> into lightly, but reverently, discreetly, advisedly, soberly.
> 
> The Security Area directors have promised to make sure that discussions do
> not get side-tracked by the "enterprise PKI" lobby.  But we have to be clear
> what we want to achieve with a new working group.  Do we just want a record
> of how the Web PKI "actually" works?  That doesn't exist in one place at the
> moment.  Or, do we want to evolve the Web PKI in a way that is coordinated
> across all the constituents and at a pace that is practical for all
> involved? Key to success will be having "all" interests represented.  That
> includes vendors of Web servers and load-balancers as well as CAs, browsers
> and subscribers.  This latter objective is likely incompatible with the
> Operations and Management Area.  So, a rethink may be needed in the event
> that that direction is chosen.
> 
> I realize that the Forum is wrestling with some big organizational issues at
> the moment.  But, if it decides to target a BoF in Atlanta, it has to
> clarify quickly what it is that it hopes to achieve and get a commitment to
> engage, not only from its current members but also, from the other important
> constituents.  There are about four weeks in which to accomplish this. 
> 
> Discussions like this one should move to the new IETF mail-list once it
> becomes available.  
> 
> Best regards.  Tim.
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://cabforum.org/mailman/listinfo/public



More information about the Public mailing list