On Fri, Aug 09, 2019 at 02:24:51PM -0400, Michael Richardson wrote: > > Michael Richardson <mcr+i...@sandelman.ca> wrote: > > I hoping for some discussion about this comment that I previously > > responded to, but it probably got buried. > > Actually, you did respond on July 20, in an email that I thought to re-read > after pushing send. > > In it you said: > > mcr> I would never call the Internet PKI "PKIX". > mcr> I'd call it WebPKI, or CAB. > mcr> PKIX is the set of IETF specifications that made X509v3 useful. > mcr> (And why I try never to use "X509"...) > mcr> > mcr> I couldn't find a reference to private PKI, so maybe I mis-understand. > > doc> This document details protocols and messages to answer the above > doc> questions. It uses a TLS connection and an PKIX (X.509v3) > doc> certificate (an IEEE 802.1AR [IDevID] LDevID) of the pledge to answer > doc> points 1 and 2. It uses a new artifact called a "voucher" that the > doc> [...] > doc> Pledge authentication and pledge voucher-request signing is via a > doc> PKIX certificate installed during the manufacturing process. This is > > bk> The comment about private PKI was me making an assumption; I could be > bk> wrong. But I don't really expect all manufacturers that do this to have > bk> their IDevID signing CA be part of the Internet PKI; I expect them to be > bk> standalone CAs with the root baked into hardware and nothing else that > bk> uses that root. Does that help clarify? > > It helps to clarify where you think I'm referring to the Internet PKI. > > I don't think of "PKIX" as referring to the Internet PKI/WebPKI as managed by > the CAB-Forum. Yes, it will be a private CA 96% of the time. > A 1988 era X509v3 certificate isn't good enough; it has to be the IETF PKIX > WG profile of X509v3. 801.1AR mostly says that.
I mean, PKIX closed before I was really doing much of anything in the IETF, so all I have are vague impressions shaped by what I've picked up from inferences made observing discourse among others. So I did have to check with someone who was actually there to confirm my sense that PKIX is the Internet PKI. (Not SPKI!) And sure, anything can be connected to the Internet, and presumably the BRSKI cases will be talking to the MASA over the Internet in some fashion, but it's hard to say that the PKI used to do so is a core part of the capital-I Internet. > If you feel that my use of PKIX here is too confusing, I will change it. I'm still open to pushback, but something like "PKIX-compatible" or "PKIX-conformant" would make me happier. -Ben _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima