Re: PKI Resource Discovery - Proposal for a new Working Item

["Anders Rundgren" <anders.rundgren@telia.com>]

Hi Max,

In case you find that there is limited interest in PRQP, I encourage
you to explore other avenues in this space.

As the OpenCA Program Manager, I guess you are aware of the fact
that on-line provisioning of certificates is not fully standardized?
One could consider Xenroll a standard since it is supported by 80%
of  the browsers used in PCs.  However,  Xenroll is not supported by
more than a tiny faction of mobile browsers.  The latter is an
interesting target given the 3Bn+ users that will most likely use mobile
phones as their primary, always connected Internet channel.

Theoretically one could distribute keys in SIM cards, but for
practical reasons like operator lock, limited storage, and poor
processing capability, TPMs as defined by TrustedComputingGroup
looks like a better candidate for the universal mobile "key-ring".
Various radio-technologies potentially also open these keys for
desktop usage where the phone becomes a "security device" including
an integrated PIN-code terminal.

Although there is also the [not by MSFT supported] JavaScript method
generateCRMFrequest(), it is actually rather primitive compared to
Xenroll, since only the latter allows multiple passes which can be
quite useful.  In fact, IETF's recently launched KEYPROV activity,
deals with up to four passes (!) for the provisioning of symmetric keys.
I consider the KEYPROV way of doing things superior to Xenroll
and generateCRMFrequest, since it does not expose an API, just a pure
XML protocol giving a uniform user experience and an easier-to-secure
implementation (APIs can be used in many ways, while strictly defined
XML schema-based protocols give little room for misusage).

===============================================
Anyway, I am currently in a _v_e_r_y_ early stage of addressing this
topic and would not mind cooperation with other knowledgeable people.
===============================================

Regarding PRQP, I still feel a little bit puzzled regarding the
resources it is supposed to discover.  A few examples would not hurt.

Regards
Anders

----- Original Message ----- 
From: "Massimiliano Pala" <pala@cs.dartmouth.edu>
To: "pkix" <ietf-pkix@imc.org>
Sent: Thursday, July 12, 2007 23:29
Subject: PKI Resource Discovery - Proposal for a new Working Item


Hi all,

some times ago I posted a message about a proposal for a PKI Resource Discovery
Protocol ( PRQP ), which I finally formalized and submitted as an I-D.
Unfortunately, because the deadline was already over, it will not probably
published on the ietf archive before the next meeting.

Thanks to all of you who actually helped me and provided useful comments.

At this point we would like to know if the WG would like to take this as
a working item as we really think it could improve the usability and
interoperability of PKIs (especially for isolated PKI islands or in
environments like Grids).

The proposed I-D can also be found here:

   https://www.openca.org/projects/libprqp/docs/draft-pala-prqp-00.html

or here:

   https://www.openca.org/projects/libprqp/docs/draft-pala-prqp-00.txt

I hope there will be time to talk about the proposal at the meeting in
Chicago.

-- 

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]            pala@cs.dartmouth.edu
                                                  project.manager@openca.org

Dartmouth Computer Science Dept               Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063                        Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------