Re: Thoughts from IETF-92
Nico Williams <nico@cryptonector.com> Tue, 31 March 2015 15:58 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAEE61AC411 for <ietf@ietfa.amsl.com>; Tue, 31 Mar 2015 08:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.266
X-Spam-Level:
X-Spam-Status: No, score=-0.266 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-wyAUXOlO7Q for <ietf@ietfa.amsl.com>; Tue, 31 Mar 2015 08:58:43 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 120E11A1EED for <ietf@ietf.org>; Tue, 31 Mar 2015 08:58:43 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id C84B72005E825; Tue, 31 Mar 2015 08:58:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=KUd3rjOritFB9drCd1mbpAyelqE=; b=WQahjNjmePM /VTd3n+KvpC85bpq0cwq2iZeiN3mDkb/RvytSznoC89W3uH7CSwPC5LSXz7tnZWj /z9CC7a+Whwj4NE5bYOdGbUUTyKhigZpLstV/nQVbHUR/xoFkxao3MMGFOLSlLIO /UWdznrbXdflmmg4Le+df9jXTP3j8JF0=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id 0E6C02005E822; Tue, 31 Mar 2015 08:58:41 -0700 (PDT)
Date: Tue, 31 Mar 2015 10:58:41 -0500
From: Nico Williams <nico@cryptonector.com>
To: "Fred Baker (fred)" <fred@cisco.com>
Subject: Re: Thoughts from IETF-92
Message-ID: <20150331155839.GW10960@localhost>
References: <7A5C678D-4897-4B9E-908F-14D7C389C48B@ietf.org> <D13F4955.22F18%richard@shockey.us> <9115F582-3480-49B8-8523-F3A181ED93B8@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <9115F582-3480-49B8-8523-F3A181ED93B8@cisco.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/pPKppDm_DUaxdaZ0TixhbiV8mIY>
Cc: IETF Discussion Mailing List <ietf@ietf.org>, Richard Shockey <richard@shockey.us>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 15:58:44 -0000
On Tue, Mar 31, 2015 at 07:10:43AM +0000, Fred Baker (fred) wrote: > > On Mar 30, 2015, at 3:55 PM, Richard Shockey <richard@shockey.us> wrote: > > The CU folks told us that this is the NUMBER 1 issue their members > > complain about. Yes it is our problem because we define SIP. > > I spoke with one of them in the lobby Saturday morning. I explained > how what she was calling for was a global (federated?) PKI, and she > wasn’t likely to achieve her goal without one. How did that go over? Was she more interested in authenticating services or users? (or both?) But you know, we have a global, federated PKI: it's called DNSSEC. > That it wasn’t a protocol problem, as we have the protocols and > protocol support for it. All it takes is money. Eh? Money is probably not the most-needed thing. A PKIX global federated PKI would depend on various things, of which IMO the biggest are: - Universal name constraints deployment (hah) Oh, I suppose money would help here. and - Partitioning of the namespace so that relatively few CAs could vouch for any given name, and where such CAs coordinate with each other to prevent take-overs (as with DNS, where a zone might have multiple registrars, but with a single registry for a TLD). This probably means having registries and registrars, as in DNS. This requires more than money. It requires will. But.. ...The thought occurs that one might as well use DNSSEC if what one wants is a global, federated PKI. Of course, using DNSSEC as a PKI does involve solving a variety of [lesser, IMO] problems (last-mile issues, DANE for more protocols). Nico --
- Thoughts from IETF-92 IETF Chair
- Re: Thoughts from IETF-92 Richard Shockey
- Re: Thoughts from IETF-92 Dave Crocker
- Re: Thoughts from IETF-92 Brian E Carpenter
- Re: Thoughts from IETF-92 Richard Shockey
- Re: Thoughts from IETF-92 Richard Shockey
- Re: Thoughts from IETF-92 Fred Baker (fred)
- Re: Thoughts from IETF-92 Fred Baker (fred)
- Re: Thoughts from IETF-92 Christian de Larrinaga
- Re: Thoughts from IETF-92 Andrew Sullivan
- Re: Thoughts from IETF-92 Matthew Ford
- Re: Thoughts from IETF-92 Leif Johansson
- Re: Thoughts from IETF-92 Richard Shockey
- Re: Thoughts from IETF-92 Phillip Hallam-Baker
- Re: Thoughts from IETF-92 Nico Williams
- Policy and regulator connections (Was: Re: Though… Jari Arkko
- Re: Thoughts from IETF-92 Jari Arkko
- Re: Thoughts from IETF-92 Joseph Lorenzo Hall
- Re: Thoughts from IETF-92 Richard Shockey
- Re: Thoughts from IETF-92 Phillip Hallam-Baker
- Re: Thoughts from IETF-92 Richard Shockey
- Re: Thoughts from IETF-92 Joseph Lorenzo Hall
- Re: Thoughts from IETF-92 Mukom Akong T.