Re[2]: Last Call: draft-shimaoka-multidomain-pki-11.txt
Masaki SHIMAOKA <m-shimaoka@secom.co.jp> Tue, 01 April 2008 10:45 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 003BB28C450; Tue, 1 Apr 2008 03:45:02 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8622128C424 for <ietf@core3.amsl.com>; Tue, 1 Apr 2008 03:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.709
X-Spam-Level: **
X-Spam-Status: No, score=2.709 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, SUBJ_RE_NUM=2.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ED35qwwVB3oz for <ietf@core3.amsl.com>; Tue, 1 Apr 2008 03:44:56 -0700 (PDT)
Received: from ns03.secom.co.jp (ns03.secom.co.jp [61.114.178.249]) by core3.amsl.com (Postfix) with ESMTP id 6E30B28C43A for <ietf@ietf.org>; Tue, 1 Apr 2008 03:44:56 -0700 (PDT)
Received: from mldsit04.intra.secom.co.jp ([172.21.1.41]) by ns03.secom.co.jp (8.12.11.20060308/3.7W) with SMTP id m31AiXWa019428; Tue, 1 Apr 2008 19:44:33 +0900 (JST)
Received: from (exc02.secom.corp [10.1.3.137]) by mldsit04.intra.secom.co.jp with smtp id 5c70_9d8383fe_ffd8_11dc_8f0d_001143d8e641; Tue, 01 Apr 2008 19:44:33 +0900
Received: from EXVS04.SECOM.corp ([10.1.3.141]) by exc02.SECOM.corp with Microsoft SMTPSVC(6.0.3790.1830); Tue, 1 Apr 2008 19:44:32 +0900
Received: from [10.131.128.102] ([10.131.128.102]) by EXVS04.SECOM.corp with Microsoft SMTPSVC(6.0.3790.1830); Tue, 1 Apr 2008 19:44:32 +0900
Date: Tue, 01 Apr 2008 19:44:36 +0900
From: Masaki SHIMAOKA <m-shimaoka@secom.co.jp>
To: Stephen Kent <kent@bbn.com>, martin.rex@sap.com
Subject: Re[2]: Last Call: draft-shimaoka-multidomain-pki-11.txt
In-Reply-To: <20071206125604.1B66.792847B2@secom.co.jp>
References: <p06240527c37b984ca4e8@[130.129.65.93]> <20071206125604.1B66.792847B2@secom.co.jp>
Message-Id: <20080401194418.A729.517D9B22@secom.co.jp>
MIME-Version: 1.0
X-Mailer: Becky! ver. 2.44 [ja]
X-OriginalArrivalTime: 01 Apr 2008 10:44:32.0611 (UTC) FILETIME=[5EBA2330:01C893E5]
Cc: Nelson Hastings <nelson.hastings@nist.gov>, Rebecca Nielsen <nielsen_rebecca@bah.com>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
Martin, Now we released -12 based on my previous response to you as the result of reflecting your comments. Additionally, > - Introductionally text: > I basically agree with Stephen. To update the text, I'm talking with > co-authors. Revised the first sentence in the Abstract as the following: The objective of this document is to establish a terminology framework and to suggest the operational requirements of PKI domain for interoperability of multi-domain Public Key Infrastructure, where each PKI domain is operated under a distinct policy. Thanks, -- Masaki SHIMAOKA <m-shimaoka@secom.co.jp> SECOM IS Lab. Core Technology Div. +81 422 76 2105 (4122) On Thu, 06 Dec 2007 12:57:42 +0900 Masaki SHIMAOKA <m-shimaoka@secom.co.jp> wrote: > Stephen and Martin, > # sorry for twice posting. > > Thanks for your quick comments. > > - Trust Anchor definition: > I agree your comments. I think the term "trust anchor CA" is more > appropriate. > > > - MUST NOT and MUST for trust anchor: > I understand IETF statement, so I am going to replace "MUST" to > "strongly RECOMMEND" regarding the trust anchor. > > - Introductionally text: > I basically agree with Stephen. To update the text, I'm talking with > co-authors. > > For publishing this document as informational RFC, is there any word I > must consider elsewhere? > > > Thanks, > -- Shima > -- > Masaki SHIMAOKA <m-shimaoka@secom.co.jp> > SECOM IS Lab. > Core Technology Div. > +81 422 76 2105 (4122) > > > On Tue, 4 Dec 2007 23:49:05 -0500 > Stephen Kent <kent@bbn.com> wrote: > > > At 7:34 PM +0100 12/4/07, Martin Rex wrote: > > >The document > > > > > >> - 'Memorandum for multi-domain Public Key Infrastructure > > >> Interoperability' > > > > <draft-shimaoka-multidomain-pki-11.txt> as an Informational RFC > > > > > >creates the impression that "trust anchors" must always be > > >self-signed CA certificates. > > > > > >What is a trust anchor MUST remain completely up to local policy (which > > >might be a client-local policy in some scenarios), there should > > >be NO restriction whatsoever what can be configured as a trust anchor. > > > > > >The idea of a trust anchor is that we trust the (public) key of the > > >trust anchor, that the PKI implementation may perform a reduced > > >(certificate) path validation only up to the trust anchor. > > >The management of trust anchors is also completely a local (policy) issue, > > >i.e. what keys are considered trust anchors, how they are distributed, > > >managed and updated. > > > > > >I am violently opposed to the documents requirements and restrictions > > >what may an what may not be a trust anchor certificate. Document > > >published by the IETF (even if just Informational) should neither > > >make unconditional restrictions (MUST NOT) nor unconditional requirements > > >(MUST) for the selection of trust anchors. Instead, Protocols and > > >implementations SHOULD support the use of arbitrary trust anchors > > >as desired by local policy. > > > > > >-Martin > > > > > > > Martin, > > > > You are right that a TA need not be a self-signed cert, although this > > is the most common format for TA representation. > > > > Your statement about how a TA allows a relying party to "perform a reduced > > (certificate) path validation" is confusing. I believe that we always > > assume that cert path validation terminates at a TA for the RP. We > > both agree that the selection and management of TAs is purely a local > > matter for each RP. > > > > In general I do not worry too much about what an informational RFC > > that is not the product of a working group says. However, looking at > > the abstract for this document I do see some words that cause me some > > concern, i.e., "The objective of this document is to establish a > > standard terminology for interoperability of multi-domain Public Key > > Infrastructure (PKI), where each PKI Domain is operated under a > > distinct policy ..." > > > > We ought not make such strong statements in a document of this sort. > > I agree that the authors need to soften the wording to indicate that > > this document defines terminology to describe multi-domain PKI > > models, as an aid to discussing issues in these contexts. > > > > Steve > > > > _______________________________________________ > > Ietf mailing list > > Ietf@ietf.org > > https://www1.ietf.org/mailman/listinfo/ietf _______________________________________________ IETF mailing list IETF@ietf.org https://www.ietf.org/mailman/listinfo/ietf
- Re: Last Call: draft-shimaoka-multidomain-pki (Me… Martin Rex
- Re: Last Call: draft-shimaoka-multidomain-pki-11.… Stephen Kent
- Re[2]: Last Call: draft-shimaoka-multidomain-pki-… Masaki SHIMAOKA
- Re[2]: Last Call: draft-shimaoka-multidomain-pki-… Masaki SHIMAOKA