Re: [Anima] What does PKIX refer to: Re: Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

Benjamin Kaduk <> Fri, 09 August 2019 18:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B65BA1201EC; Fri, 9 Aug 2019 11:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6zP3HceUpvuM; Fri, 9 Aug 2019 11:51:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D40A01201D4; Fri, 9 Aug 2019 11:51:57 -0700 (PDT)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id x79IpiPo021088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 9 Aug 2019 14:51:48 -0400
Date: Fri, 09 Aug 2019 13:51:43 -0500
From: Benjamin Kaduk <>
To: Michael Richardson <>
Cc: The IESG <>,,,,
Message-ID: <>
References: <> <27223.1565374549@localhost> <29229.1565375091@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <29229.1565375091@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [Anima] What does PKIX refer to: Re: Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Aug 2019 18:52:00 -0000

On Fri, Aug 09, 2019 at 02:24:51PM -0400, Michael Richardson wrote:
> Michael Richardson <> wrote:
>     > I hoping for some discussion about this comment that I previously
>     > responded to, but it probably got buried.
> Actually, you did respond on July 20, in an email that I thought to re-read
> after pushing send.
> In it you said:
> mcr> I would never call the Internet PKI "PKIX".
> mcr> I'd call it WebPKI, or CAB.
> mcr> PKIX is the set of IETF specifications that made X509v3 useful.
> mcr> (And why I try never to use "X509"...)
> mcr>
> mcr> I couldn't find a reference to private PKI, so maybe I mis-understand.
>    doc> This document details protocols and messages to answer the above
>    doc> questions.  It uses a TLS connection and an PKIX (X.509v3)
>    doc> certificate (an IEEE 802.1AR [IDevID] LDevID) of the pledge to answer
>    doc> points 1 and 2.  It uses a new artifact called a "voucher" that the
>    doc> [...]
>    doc> Pledge authentication and pledge voucher-request signing is via a
>    doc> PKIX certificate installed during the manufacturing process.  This is
> bk> The comment about private PKI was me making an assumption; I could be
> bk> wrong.  But I don't really expect all manufacturers that do this to have
> bk> their IDevID signing CA be part of the Internet PKI; I expect them to be
> bk> standalone CAs with the root baked into hardware and nothing else that
> bk> uses that root.  Does that help clarify?
> It helps to clarify where you think I'm referring to the Internet PKI.
> I don't think of "PKIX" as referring to the Internet PKI/WebPKI as managed by
> the CAB-Forum.  Yes, it will be a private CA 96% of the time.
> A 1988 era X509v3 certificate isn't good enough; it has to be the IETF PKIX
> WG profile of X509v3.  801.1AR mostly says that.

I mean, PKIX closed before I was really doing much of anything in the IETF,
so all I have are vague impressions shaped by what I've picked up from
inferences made observing discourse among others.  So I did have to check
with someone who was actually there to confirm my sense that PKIX is the
Internet PKI.  (Not SPKI!)  And sure, anything can be connected to the
Internet, and presumably the BRSKI cases will be talking to the MASA over
the Internet in some fashion, but it's hard to say that the PKI used to do
so is a core part of the capital-I Internet.

> If you feel that my use of PKIX here is too confusing, I will change it.

I'm still open to pushback, but something like "PKIX-compatible" or
"PKIX-conformant" would make me happier.