Re: PKI Resource Discovery - Proposal for a new Working Item

["Anders Rundgren" <anders.rundgren@telia.com>]

Hi Max,
Some time ago you proposed new PKI protocols but then you did
not state any specific use-case.  I'm happy to see such now :-)

Regarding painful rollover, I believe a 5-year plan or so is realistic
if it involves certificate changes.   If the idea is really some kind of
"mapping scheme" between existing certificates and services it may
be faster but OTOH I don't really see how such a mapping utility
would work given the huge variations out there.  But maybe you
are thinking of some kind of centralized discovery service?

Personally I'm only interested in decentralized Internet-scale PKI
solutions (the opposite to S/MIME...) and would due to this base
a new scheme on the only Internet-scale "registry" there is: DNS.

I would suggest a scheme based on DNS names which both can
be obtained locally (from a config file) as well as being supplied
in a new certificate extension.  This would allow step-wise migration
which has proved to be the fastest route to adoption.  The following
is one way of architecting this:

In the repository/certificate extension: "example.com"

Searched for by an enhanced PKI client:
_thesuperduper-pki-lookup.example.com TXT "something"
_other-pki-lookup-service.example.com TXT "something"

Regarding applications, I would like to add automatic certificate
renewal services support.

regards
Anders




----- Original Message ----- 
From: "Massimiliano Pala" <pala@cs.dartmouth.edu>
To: "Wen-Cheng Wang" <wcwang@cht.com.tw>
Cc: "pkix" <ietf-pkix@imc.org>
Sent: Tuesday, April 24, 2007 17:04
Subject: Re: PKI Resource Discovery - Proposal for a new Working Item


Hello Wen-Cheng,

thank you for the comment. Indeed the distribution of the RQA address
is something tricky, but the AIA/SIA extensions can be used to provide
that. Also the DHCP could be used for the same porpuse on a local
network.

Again, thanks. I'll try to come up with a draft for the WG to read
hopefully in the next few days (or the next week).
Let me know what do you think also about a possible session/proposal at
the next IETF.

Cheers,
Max

Wen-Cheng Wang wrote:
> 
> Dr. Massimiliano Pala,
> 
> That is an interesting idea.
> 
> However, one imaginable problem you might face is "how
> a relying party (the PRQP client) can find an authroized RQA?"
> 
> One straightforward way is to let the CA issue a certificate first to
> delegate the authority to the RQA and then use AIA/SIA extnesions
> to provide the URL of the authroized RQA (the authroized PRQP server)
> to the PRQP client. If you are going to adopt this kind of straightforward
> solution, it will not be a painless rollover from traditional ways (embed
> various pointers via CDP, AIA or SIA extensions) to the new way (a single
> AIA/SIA extension comtaining the authroized PRQP access info). The
> reason why it will not be a painless rollover is that the goal can not be
> achieved without the need to re-issuing all the existing certificates to
> add the newly defined PRQP access info into the AIA/SIA extension.



-- 

Best Regards,

Dr. Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]            pala@cs.dartmouth.edu
                                                 project.manager@openca.org

Dartmouth Computer Science Dept               Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063                        Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------