draft meeting minutes for review & comment by 8-20

[Stephen Kent <kent@bbn.com>]

PKIX WG Meeting 8-4-04

Edited by Steve Kent

Chairs: Stephen Kent <kent@bbn.com> & Tim Polk <tim.polk@nist.gov>

The PKIX WG met once during the 60th IETF. A total of approximately 
73 individuals participated in the meeting.


WG Status and Direction

Document Status Review [Tim Polk (NIST)]

The working group has a number of Internet-Drafts.  Many documents 
are with the ADs or in various stages of WG Last Call. Several others 
are ready for Last Call. (Also, The working group milestones have 
been out of date, although several were recently updated. An 
additional pass to revise the milestones will be made by the WG 
chairs, and the results posted to the WG home page. (slides)


PKIX WG Specifications

LDAP Specifications

PKIX has a number of LDAP-based specifications supporting publication 
and distribution of certificates and CRLs.


LDAP Schemas, String Values, etc. - David Chadwick (U. of Salford)

  draft-ietf-pkix-ldap-crl-schema-02.txt
  draft-ietf-pkix-ldap-ac-schema-01.txt

The WG has a suite of LDAP-PKIX drafts forming a comprehensive 
solution for LDAP based PKI information distribution.  New drafts of 
two I-Ds have been submitted since IETF 59 and additional drafts will 
be published soon after this meeting. Documents will be 
Informational, WG submissions, having previously been individual 
submissions. A late September WG last call is planned, to accommodate 
the author's schedule. (slides)


Practical Considerations for Use of LDAP in PKIX - Kurt Zeilenga 
(LDAPbis WG co-chair)

        Practical considerations must be considered to maximize the 
utility and interoperability of LDAP-based PKIs. This presentation 
discussed known issues and (where applicable) ways to address them. 
Highlights include ";binary" support. Goal is to complete this work 
(3 documents) via staged WG last calls in late August, September, and 
October, so that all 3 are done before D.C. UETF meeting. (slides)


Matching Text Strings in PKIX Certificates - Paul Hoffman (IMC) & 
Steve Hanna (Sun->Funky)

  draft-hoffman-pkix-stringmatch-00.txt

        This specification describes the use of (LDAP) Stringprep to 
support comparison and matching of international text strings.  This 
document resolves an open issue from RFC 3280, where the minimum 
requirements for name comparison were specified as binary matching. 
Since the publication of RFC 3280, the Stringprep specification has 
been completed, providing a solid basis for comparison and matching 
of test strings in PKIX certificates. Target is a standards track 
document as a PKIX WG item, to be referenced from 3280bis. X.500 
provides per-attribute matching rules, and is being updated to use 
Stringprep, so the emphasis in PKIX should be on alternative name 
matching. Target is to identify, and resolve, issues by the next IETF 
meeting. (slides)


RFC 3280 Progression- Tim Polk (NIST)

        NIST will present the current plan and milestones for 
progression of RFC 3280 to Draft Standard. Russ identified a problem 
for 3280bis, related to international string matching, i.e., 3280 
punted on the topic of wildcard matching, and so 3280bis needs to 
address this issue, in the Stringprep context. (slides)


Subject Identification Method - Tim Polk (NIST) for Jongwook Park (KISA)

  draft-ietf-pkix-sim-03.txt

        A new draft of the Subject Identification Method has been 
submitted since IETF 59.  The document is relatively stable and 
mature.  WG Last Call is expected very soon for the next (final?) 
draft of this document. (slides)


SCVP Progression - Tim Polk (NIST) for Trevor Freeman (Microsoft)

  draft-ietf-pkix-scvp-15.txt

        This document has been in WG Last Call since early 2004. 
Completion of WG Last Call was blocked by newly identified 
implementation requirements for unsigned messages to support DPD. 
Early proposals did not satisfy RFC 3739, and were rejected.  A new 
draft has been submitted since IETF 59 implementing unsigned messages 
while satisfying RFC 3379 and the implementation requirements. It 
seems likely that there additional revisions will be needed before 
the document is finished, given last call comments. Target is to be 
done before D.C. meeting. (slides)


OCSPv1 Progression to DRAFT - Mike Myers (Traceroute)
	 Need to resolve an ambiguity in the text, re nonces, to 
clarify this in a fashion that accommodates existing implementation 
practice. Should me a 1 paragraph change and allow the document to 
proceed to DRAFT quickly. (no slides)


Related Specifications & Liaison Presentations

Specification of OCSP in IKEv2 - Mike Myers (TraceRoute)

  draft-myers-ipsec-ikev2-oscp-00.txt

This is an IPsec topic that uses a PKIX protocol. The presentation 
described issues with the specification of OCSP in IKEv2, to provide 
an alternative to sending CRLs via IKE. Motivations are to avoid 
fragmentation concerns in IKE, and because it might be hard to gain 
access to an OCSP server w/o secure access (a chicken & egg problem). 
An individual submission; not a PKIX document. (slides)


User Interface Requirement for the Internet X.509 Public Key 
Infrastructure - Jaehoo Yoon (KISA)

  draft-choi-pkix-ui-00.txt

This document proposes basic requirements for a user interface for 
PKI client software, with an emphasis on usability and smart card 
support. Requirements addressed by the document include root CA 
certificate management, certificate sharing among applications, local 
storage, etc. Targeted to be an informational document for system 
designers. An individual (not PKIX) submission. (slides)