[cabfpub] IETF and the Web PKI

[Ryan Hurst]

So would I.

Sent from my iPhone

On Aug 10, 2012, at 6:01 AM, Rick Andrews <Rick_Andrews at symantec.com> wrote:

> Ben,
> 
> I would be interested in participating in this proposed new mailing list.
> 
> -Rick
> 
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
>> Behalf Of Ben Wilson
>> Sent: Thursday, August 09, 2012 2:52 PM
>> To: 'CABFPub'
>> Subject: Re: [cabfpub] IETF and the Web PKI
>> 
>> During today's CAB Forum call we discussed the email below re: the upcoming
>> pre-WG Birds-of-a-Feather meeting at IETF in Atlanta November 4-9, 2012.  As
>> Tim notes below, the IETF needs a preliminary indication from our members
>> and others in the broader community about the BoF meeting and whether we
>> would be interested if the IETF created a mailing list named "webpkiops" to
>> discuss Web PKI Ops, which would include certificate validity issues.  But
>> instead of voting on this or having each of you contact IETF directly about
>> your interest, I was wondering whether we should collect the names of those
>> who are interested in exploring this idea further and/or participating in
>> discussions on a new IETF mailing list if one is created.  If so, then I
>> could forward the list to the IETF Area Directors mentioned below.
>> 
>> To recap, here is a summary of what might be involved:
>> 
>> - OPS WGs interact with other IETF by documenting practices and requirements
>> or use-cases that feed into the work of existing IETF WGs.  The PKIX WG is
>> closing soon and our CABF revocation mailing list has just closed, so a new
>> webpkiops WG could involve CAs, Browsers, hardware manufacturers, major
>> relying parties, and others interested in recent revocation discussions.
>> 
>> - If CAB Forum members are in attendance at an IETF meeting, it may be
>> possible for us to arrange space for an additional side-meeting, if we pay
>> for it.  That might save some of our members on travel costs.
>> 
>> Please email if you are interested, and I will forward a list to the IETF.
>> 
>> Thanks,
>> 
>> Ben
>> 
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
>> Behalf Of Tim Moses
>> Sent: Friday, August 03, 2012 10:01 AM
>> To: CABFPub
>> Subject: [cabfpub] IETF and the Web PKI
>> 
>> Colleagues
>> 
>> On (Thurs) 2 Aug I presented to the IETF Security Area Advisory Group and
>> the Operations and Management Area open meeting.  The topic was the Web PKI.
>> I made the case that, for historical, scale and market-dynamic reasons, the
>> Web PKI is different from the PKIX PKI; it isn't just a PKIX PKI that went
>> wrong.  While it is closely based on IETF standards, it needs its own
>> standards that deviate slightly from PKI as practiced in a large enterprise
>> or federation of enterprises.
>> 
>> Forum members have repeatedly stated that they don't want to manage
>> technical specifications in the Forum; the implication being that they
>> prefer to use the IETF process.  Part of the reason could have been to have
>> a clear IPR environment.  That, of course, has now changed.  Another reason
>> could have been that IETF RFCs carry more authority (vendors are more likely
>> to pay attention).  Another reason might have been the no-cost
>> configuration-management support.
>> 
>> Anyway!  Members need to confirm that IETF is still the preferred option for
>> technical protocol specifications.
>> 
>> Some of the influencers in PKIX are reluctant to accommodate the needs of
>> the Web PKI, and (anyway) as I understand it, the PKX WG will close before
>> the end of the year.  The security area directors have proposed the
>> formation of a working group within the Operations and Management Area to
>> serve the Forum's needs.  The Forum has to decide (quite quickly) if it
>> wants to pursue this option.  An IETF mail list will be set up to discuss
>> and (if appropriate) plan a BoF at the Atlanta meeting.  IETF will make a
>> "go/no go" decision regarding the BoF on 24 Sep.  We should not think of a
>> BoF as a "throw-away" or "exploratory".  It will consume significant
>> resources and (in the words of the wedding ceremony) should not be entered
>> into lightly, but reverently, discreetly, advisedly, soberly.
>> 
>> The Security Area directors have promised to make sure that discussions do
>> not get side-tracked by the "enterprise PKI" lobby.  But we have to be clear
>> what we want to achieve with a new working group.  Do we just want a record
>> of how the Web PKI "actually" works?  That doesn't exist in one place at the
>> moment.  Or, do we want to evolve the Web PKI in a way that is coordinated
>> across all the constituents and at a pace that is practical for all
>> involved? Key to success will be having "all" interests represented.  That
>> includes vendors of Web servers and load-balancers as well as CAs, browsers
>> and subscribers.  This latter objective is likely incompatible with the
>> Operations and Management Area.  So, a rethink may be needed in the event
>> that that direction is chosen.
>> 
>> I realize that the Forum is wrestling with some big organizational issues at
>> the moment.  But, if it decides to target a BoF in Atlanta, it has to
>> clarify quickly what it is that it hopes to achieve and get a commitment to
>> engage, not only from its current members but also, from the other important
>> constituents.  There are about four weeks in which to accomplish this.
>> 
>> Discussions like this one should move to the new IETF mail-list once it
>> becomes available.
>> 
>> Best regards.  Tim.
>> 
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> http://cabforum.org/mailman/listinfo/public
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> http://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://cabforum.org/mailman/listinfo/public