Hi Alan,
Thanks for your comments. My proposal is a very initial proposal. I was just eager to see reaction to the general approach. I has primarily been concerned with the case where a RP only have 1-2 ms to validate a received a PDU, meaning that the validation has to happen a thousand times faster than in a traditional Web environment. I will be very happy to receive some of the solutions you have seen work in practice. I am always open to new ideas. Kind regards, Erik Fra: Sill, Alan [mailto:[email protected]] Sendt: 31. juli 2014 23:17 Til: Erik Andersen Cc: Sill, Alan; [email protected]; [email protected]; [email protected]; [email protected] Emne: Re: [pkix] X.509 whitelist proposal Erik, With the desire to wind this discussion back to its actual content and avoid for the present further discussion of procedures, let me say that the use case proposed is a familiar one in the world of extended use of PKI as an authentication piece of access control systems in distributed infrastructure environments. The solution invariably is to implement a separate authorization layer that can work with the existing certificate infrastructure, which is out or scope as a work item for any of the proposed groups. My personal belief is that this is not worth pursuing in its present form. I would be happy, off-list or on an individual basis, to pass on some of the solutions that I have seen work in practice in distributed computational, storage and other related control settings, some of which can be achieved within the existing X.509 settings through the use, for example, of time limited or otherwise membership-limited extended attribute certificates. My suggestion, with great respect and due deference to its proposers, is to drop the referenced proposal until exploration of appropriate authorization technologies has been done and again offer to have that discussion off these lists or on a different one. Alan Sill, TTU VP of Standards, Open Grid Forum On Jul 18, 2014, at 12:49 AM, Tony Rutkowski <[email protected] <mailto:[email protected]> > wrote: Hi Steve, The note below was distributed earlier on the ITU-T SG17 sub-group Q11/17 list by the group's rapporteur. It might be useful to gauge industry reaction in IETF and CA/B Forum venues. Note that although the document appears on an ITU-T template, it has not been submitted. In addition, although the source is indicated as "Denmark," it is not apparent that the source is any other than than the rapporteur himself, who is identified as the contact. Lastly, although the note asserts that "IEC TC57 WG15 (smart grid security) has requested the inclusion of whitelist support in X.509," there is no apparent liaison to this effect. --tony -------- Original Message -------- Subject: [T17Q11] X.509 whitelist support Date: Thu, 17 Jul 2014 14:43:30 +0200 From: Erik Andersen <mailto:[email protected]> <[email protected]> To: Directory list <mailto:[email protected]> <[email protected]>, SG17-Q11 <mailto:[email protected]> <[email protected]> CC: SG17-Q10 <mailto:[email protected]> <[email protected]> IEC TC57 WG15 (smart grid security) has requested the inclusion of whitelist support in X.509. A preliminary proposal for such a feature may be found as <http://www.x500standard.com/uploads/extensions/whitelistInX509.pdf> http://www.x500standard.com/uploads/extensions/whitelistInX509.pdf The feature may in some way be combined with the trust broker concept, which probably will involve a number of changes. As it is quite important that we have workable solution, any comment is welcome. I hope you will find the time to review the proposal before it is submitted to ITU-T. Kind regards, Erik <whitelistInX509.pdf>_______________________________________________ pkix mailing list <mailto:[email protected]> [email protected] <https://www.ietf.org/mailman/listinfo/pkix> https://www.ietf.org/mailman/listinfo/pkix
_______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
