Re: [pkix] Agenda requests for Paris

[Yoav Nir <ynir@checkpoint.com>]

Anders,

IMO "relevant" is whatever the group decides is relevant as long as the IESG agrees. If you want the working group to do something, such as mobile devices with embedded credentials, you should propose this to the group. 

A few years ago I had a proposal to IPsecME but couldn't attend. I asked someone else who *was* attending to present it for me. I prepared the slides and everything, and listened to the audio stream. While there is work being done (see the vmeet list) that may allow people to present remotely, results so far have been a mixed bag. Surely you can go to https://www.ietf.org/registration/ietf83/attendance.py , and find one of the 1347 people listed there (as of right now) who might be interested enough to present slides that you would prepare for him or her. 

I don't think a time slot reserved for "discussion of the fact that mobile devices with embedded credentials will most likely constitute of the bulk of the client-side of PKI" will do much without a draft, a presentation, or at the very least, someone to lead the discussion.

Yoav

-----Original Message-----
From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Anders Rundgren
Sent: 18 March 2012 11:38
To: Stefan Santesson
Cc: pkix@ietf.org
Subject: Re: [pkix] Agenda requests for Paris

On 2012-03-18 01:45, Stefan Santesson wrote:
> Anders,
> 
> You are missing the point.

Not really, I'm just looking at things from a different angle.

IMHO, "relevance" has become an overarching issue for SDOs due to the fact that the IT-landscape has changed tremendously the last ten years:

- Continuously shorter product cycles
- Vendors that single-handedly define complete and globally operating ecosystems, from devices to services
- Open source as a means to reduce costs and improve interoperability

Since "my" issue (affecting billions of other humans) obviously is not of any interest to you or Steve, PKIX's future probably is about managing the PKI core documents (Certificates, CRL and OCSP).

Thar said, new efforts in the more application-oriented part of the PKI universe, like the recent EST work-item seems much less likely to pan out since these require alien elements like strategy, marketing, and gap analysis.

OTOH, deployment given the current SCVP/OCSP discussions doesn't seem to be a major issue.  In my world deployment and relevance are synonymous.
Yes, I know this is a minority view :-)

Anders

> 
> You are free to discuss any issues that are related to the charter of 
> this WG.
> If you want to discuss things with other IETFers, it is a great 
> opportunity to come to the conference and talk to people.
> 
> Just don't expect people to spend time discussing your issues at the 
> meeting unless you are prepared to come and ask for a timeslot.
> 
> /Stefan
> 
> 
> 
> On 12-03-17 2:09 PM, "Anders Rundgren" <anders.rundgren@telia.com> wrote:
> 
>> On 2012-03-17 13:32, Stefan Santesson wrote:
>>> Anders,
>>>
>>> It does not work that way, no matter how interesting your issue 
>>> might be.
>>
>> You mean that IETF statutes doesn't permit discussing possible future 
>> work-items without a proposer actually being physically present?
>>
>> Anyway, your college in the Swedish EID2-project Leif Johansson, 
>> indeed mentioned the very same issue "as highly problematic" in a 
>> panel session in the IDTrust/NSTIC event that we both attended this 
>> week in Washington DC.
>>
>> Somewhat related: From what I can see the rationale for EST haven't 
>> been discussed at all on this list. I don't think even Cisco in the 
>> end will support EST since it doesn't add functional improvements.
>> Even the target "Simple PKI client" seems to be left to the reader to 
>> guess what it could possibly be.  Do YOU know?
>>
>> Anders
>>
>>>
>>> If you want to raise an issue at the meeting, then you need to ask 
>>> for a slot and show up at the meeting.
>>> If you can't be bothered, convince someone that will be present to 
>>> do it for you.
>>>
>>> If you can't do that even, then discuss it on the list.
>>>
>>> /Stefan
>>>
>>> On 12-03-17 9:56 AM, "Anders Rundgren" <anders.rundgren@telia.com>
>>> wrote:
>>>
>>>> Stefan,
>>>> I will unfortunately not be able to attend.
>>>>
>>>> May I suggest that the crowd spends some 10 minutes on discussing 
>>>> how PKIX intends to deal with the fact that mobile devices with 
>>>> embedded credentials will most likely constitute of the bulk of the 
>>>> client-side of PKI?
>>>>
>>>> Even the US government have realized (it took some time...) that 
>>>> "Derived Credentials" is probably a better solution than "putting 
>>>> PIV on a string":
>>>>
>>>>
>>>> http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2012-02/feb
>>>> 1_nis
>>>> t-
>>>> 800-63-1_overview_enewton.pdf
>>>>
>>>> It is (at least to me) obvious that ambitious efforts such as 
>>>> President Obama's NSTIC program won't go particularly far without 
>>>> having secure, convenient, and interoperable enrollment solutions.
>>>>
>>>> However, then we enter the minefield known as "Token Provisioning"
>>>> which
>>>> currently only is covered by proprietary solutions like the Google 
>>>> Wallet.
>>>>
>>>> Giving in to Google may though be the best for the market since a 
>>>> leading vendor can (as Microsoft did in the past) indirectly 
>>>> enforce the necessary "compliance" on the other parties.
>>>>
>>>> The opportunity for a standard addressing 5-10 BILLION of connected 
>>>> devices won't exist 3 years from now, at least if we are talking 
>>>> about a *used* ditto.
>>>>
>>>> If you are the daring type you might even perform a straw poll on 
>>>> the topic :-)
>>>>
>>>> Anders