Colleagues - This is by way of explaining some of the background to this mail list.
As you may be aware, the IETF's PKIX working group will be wound up some time in the next few months. The members of PKIX have worked hard over the last 16 years to define how PKI should be practiced in large and extended enterprises. That work is now nearing completion. Those whose interest is PKI as practiced in the Web, working together in the CA/Browser Forum, have also accomplished much in the seven years of its existence. But, the Forum has consistently stated its intention not to produce and maintain technical standards. So, its members have often turned to PKIX for their standard protocol needs. Now, that facility is about to disappear, even though the Forum's work is far from complete. In order to illustrate the point, here are some examples of ongoing technical discussions: the best way to accomplish revocation; how to augment the trust model to improve observability; and whether and how to implement short-lived certificates. These, and similar outstanding questions, have to be addressed in a coordinated fashion across all components of the eco-system, including: browser/OS, Web server, load balancer, and certification authority, and both with those who supply the products and those who operate them. The IETF's Security Area directors have identified a need for a new forum in which issues such as these can be discussed and advanced. And, to that end, this mail list has been established and a BoF at the IETF's Atlanta meeting in November of this year is under consideration. Initial indications are that there is enthusiastic support for the idea. But, success will depend upon having the right experts actively involved. Their willingness remains to be confirmed. The IETF will decide whether to set aside time for a BoF on 24 Sep or thereabouts. So, there is some urgency to progressing the matter. We have to answer some fundamental questions, such as: 1. How broad is the recognition of the need? 2. Are all the essential constituents willing to participate? 3. What objective should the nascent working group set itself? Armed with the answers to these questions, the IETF planners will be in a position to consider a request for a BoF and how best to accommodate the needs of the Web PKI community. There is one idea that I would like you to consider: set up a working group within the Operations and Management Area of the IETF to document how the Web PKI actually works today. This would comprise a set of descriptive drafts covering the various certificate lifecycle phases: trust model, certificate application and installation, certificate issuance, certificate renewal, certificate reissuance, certificate revocation, and certificate validation. There are many variants in use, and the idea would be to record as many of the important variants as possible. This might be accomplished within one to two years, and the benefit would be two-fold: it would make it clearer which options are preferable; and it would allow time for the group to cohere. My fear is that launching directly into writing prescriptive standards will foster mutual suspicion and hold back progress. Once deliverables start to flow from this initial project, we may consider forming other groups to advance standards or standard profiles for specific aspects of the system. I hope that helps. All the best. Tim. T: +1 613 270 3183
_______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
