Re[2]: Last Call: draft-shimaoka-multidomain-pki-11.txt
Masaki SHIMAOKA <m-shimaoka@secom.co.jp> Tue, 01 April 2008 10:45 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 003BB28C450; Tue, 1 Apr 2008 03:45:02 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8622128C424 for <ietf@core3.amsl.com>; Tue, 1 Apr 2008 03:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.709
X-Spam-Level: **
X-Spam-Status: No, score=2.709 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, SUBJ_RE_NUM=2.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ED35qwwVB3oz for <ietf@core3.amsl.com>; Tue, 1 Apr 2008 03:44:56 -0700 (PDT)
Received: from ns03.secom.co.jp (ns03.secom.co.jp [61.114.178.249]) by core3.amsl.com (Postfix) with ESMTP id 6E30B28C43A for <ietf@ietf.org>; Tue, 1 Apr 2008 03:44:56 -0700 (PDT)
Received: from mldsit04.intra.secom.co.jp ([172.21.1.41]) by ns03.secom.co.jp (8.12.11.20060308/3.7W) with SMTP id m31AiXWa019428; Tue, 1 Apr 2008 19:44:33 +0900 (JST)
Received: from (exc02.secom.corp [10.1.3.137]) by mldsit04.intra.secom.co.jp with smtp id 5c70_9d8383fe_ffd8_11dc_8f0d_001143d8e641; Tue, 01 Apr 2008 19:44:33 +0900
Received: from EXVS04.SECOM.corp ([10.1.3.141]) by exc02.SECOM.corp with Microsoft SMTPSVC(6.0.3790.1830); Tue, 1 Apr 2008 19:44:32 +0900
Received: from [10.131.128.102] ([10.131.128.102]) by EXVS04.SECOM.corp with Microsoft SMTPSVC(6.0.3790.1830); Tue, 1 Apr 2008 19:44:32 +0900
Date: Tue, 01 Apr 2008 19:44:36 +0900
From: Masaki SHIMAOKA <m-shimaoka@secom.co.jp>
To: Stephen Kent <kent@bbn.com>, martin.rex@sap.com
Subject: Re[2]: Last Call: draft-shimaoka-multidomain-pki-11.txt
In-Reply-To: <20071206125604.1B66.792847B2@secom.co.jp>
References: <p06240527c37b984ca4e8@[130.129.65.93]> <20071206125604.1B66.792847B2@secom.co.jp>
Message-Id: <20080401194418.A729.517D9B22@secom.co.jp>
MIME-Version: 1.0
X-Mailer: Becky! ver. 2.44 [ja]
X-OriginalArrivalTime: 01 Apr 2008 10:44:32.0611 (UTC) FILETIME=[5EBA2330:01C893E5]
Cc: Nelson Hastings <nelson.hastings@nist.gov>, Rebecca Nielsen <nielsen_rebecca@bah.com>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
Martin,
Now we released -12 based on my previous response to you as the result of reflecting your comments.
Additionally,
> - Introductionally text:
> I basically agree with Stephen. To update the text, I'm talking with
> co-authors.
Revised the first sentence in the Abstract as the following:
The objective of this document is to establish a terminology framework
and to suggest the operational requirements of PKI domain for
interoperability of multi-domain Public Key Infrastructure, where each
PKI domain is operated under a distinct policy.
Thanks,
--
Masaki SHIMAOKA <m-shimaoka@secom.co.jp>
SECOM IS Lab.
Core Technology Div.
+81 422 76 2105 (4122)
On Thu, 06 Dec 2007 12:57:42 +0900
Masaki SHIMAOKA <m-shimaoka@secom.co.jp> wrote:
> Stephen and Martin,
> # sorry for twice posting.
>
> Thanks for your quick comments.
>
> - Trust Anchor definition:
> I agree your comments. I think the term "trust anchor CA" is more
> appropriate.
>
>
> - MUST NOT and MUST for trust anchor:
> I understand IETF statement, so I am going to replace "MUST" to
> "strongly RECOMMEND" regarding the trust anchor.
>
> - Introductionally text:
> I basically agree with Stephen. To update the text, I'm talking with
> co-authors.
>
> For publishing this document as informational RFC, is there any word I
> must consider elsewhere?
>
>
> Thanks,
> -- Shima
> --
> Masaki SHIMAOKA <m-shimaoka@secom.co.jp>
> SECOM IS Lab.
> Core Technology Div.
> +81 422 76 2105 (4122)
>
>
> On Tue, 4 Dec 2007 23:49:05 -0500
> Stephen Kent <kent@bbn.com> wrote:
>
> > At 7:34 PM +0100 12/4/07, Martin Rex wrote:
> > >The document
> > >
> > >> - 'Memorandum for multi-domain Public Key Infrastructure
> > >> Interoperability'
> > > > <draft-shimaoka-multidomain-pki-11.txt> as an Informational RFC
> > >
> > >creates the impression that "trust anchors" must always be
> > >self-signed CA certificates.
> > >
> > >What is a trust anchor MUST remain completely up to local policy (which
> > >might be a client-local policy in some scenarios), there should
> > >be NO restriction whatsoever what can be configured as a trust anchor.
> > >
> > >The idea of a trust anchor is that we trust the (public) key of the
> > >trust anchor, that the PKI implementation may perform a reduced
> > >(certificate) path validation only up to the trust anchor.
> > >The management of trust anchors is also completely a local (policy) issue,
> > >i.e. what keys are considered trust anchors, how they are distributed,
> > >managed and updated.
> > >
> > >I am violently opposed to the documents requirements and restrictions
> > >what may an what may not be a trust anchor certificate. Document
> > >published by the IETF (even if just Informational) should neither
> > >make unconditional restrictions (MUST NOT) nor unconditional requirements
> > >(MUST) for the selection of trust anchors. Instead, Protocols and
> > >implementations SHOULD support the use of arbitrary trust anchors
> > >as desired by local policy.
> > >
> > >-Martin
> > >
> >
> > Martin,
> >
> > You are right that a TA need not be a self-signed cert, although this
> > is the most common format for TA representation.
> >
> > Your statement about how a TA allows a relying party to "perform a reduced
> > (certificate) path validation" is confusing. I believe that we always
> > assume that cert path validation terminates at a TA for the RP. We
> > both agree that the selection and management of TAs is purely a local
> > matter for each RP.
> >
> > In general I do not worry too much about what an informational RFC
> > that is not the product of a working group says. However, looking at
> > the abstract for this document I do see some words that cause me some
> > concern, i.e., "The objective of this document is to establish a
> > standard terminology for interoperability of multi-domain Public Key
> > Infrastructure (PKI), where each PKI Domain is operated under a
> > distinct policy ..."
> >
> > We ought not make such strong statements in a document of this sort.
> > I agree that the authors need to soften the wording to indicate that
> > this document defines terminology to describe multi-domain PKI
> > models, as an aid to discussing issues in these contexts.
> >
> > Steve
> >
> > _______________________________________________
> > Ietf mailing list
> > Ietf@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
IETF mailing list
IETF@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
- Re: Last Call: draft-shimaoka-multidomain-pki (Me… Martin Rex
- Re: Last Call: draft-shimaoka-multidomain-pki-11.… Stephen Kent
- Re[2]: Last Call: draft-shimaoka-multidomain-pki-… Masaki SHIMAOKA
- Re[2]: Last Call: draft-shimaoka-multidomain-pki-… Masaki SHIMAOKA