Re: [saag] post-X509 cryptographic identities

[Tony Rutkowski <trutkowski.netmagic@gmail.com>]

The earliest public description of PKI development and objectives can be 
found in the seminal paper presented by Ruth Nelson in 1987.  See
Ruth Nelson, SDNS Services and Architecture, 10th National Computer 
Security Conference Proceedings, Sept 1987. 
https://csrc.nist.gov/publications/detail/conference-paper/1987/09/21/proceedings-10th-national-computer-security-conference-1987

The specification first appeared in the 1988 CCITT (now ITU-T) Blue Book 
where it was entitled "The Directory - Authentication Framework," in 
conjunction with the OSI internet ensemble of protocols.
https://www.itu.int/itu-t/recommendations/rec.aspx?rec=14033

That was followed in 1990 by its treatment by NIST as part of the GOSIP 
profiles.  See NISTIR 90-4250, Secure Data Network System (SDNS) 
Network, Transport, and Message Security Protocols, 
https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir90-4250.pdf

Shortly afterwards, in 1992, the original 1988 guide for X.509 
implementations was revised.  See ITU-T F.500 (08/1992), International 
public directory services
https://www.itu.int/itu-t/recommendations/rec.aspx?rec=676

ITU-T X.530 (11/2008), Information technology – Open Systems 
Interconnection – The Directory: Use of systems management for 
administration of the Directory,
https://www.itu.int/itu-t/recommendations/rec.aspx?rec=9601

Today, responsibility for X.509 remains with its longtime editor, Erik 
Andersen, who with Jean-Paul Lemaire is working on an updade on 
implementations.  They can speak to their efforts to evolve the 
specification and use.  These include two work items:
X.pki-em, Public-key infrastructure: Establishment and maintenance,
https://www.itu.int/itu-t/workprog/wp_item.aspx?isn=13536
X.509prot, Protocol specifications for public-key infrastructure and 
privilege management infrastructure
https://www.itu.int/itu-t/workprog/wp_item.aspx?isn=14393

The legal and public policy issues were extensively treated and 
developed to further the PKI industry through the International Law and 
Policy Forum (ILPF) which was established in the early 1990s and quickly 
evolved to focus on PKI provisioning.  The ILPF was modeled after the 
IETF to treat legal matters.

The IETF's involvement in the space was facilitated by the Internet 
Society purchasing considerable liability insurance in the early 1990s.  
Collaboration on PKI implementations invokes rather considerable 
potential antitrust and tort liability culpability - which is why the 
ITU-T remains the principal responsible body. You might wish to 
collaborate with others dealing with these matters in ITU-T SG17 Q11/17 
led by Jean-Paul, and the X.509 Editor, Erik Andersen.

--tony r

On 2020-02-11 8:30 AM, Derek Atkins wrote:
> On Tue, February 11, 2020 5:55 am, Michael Richardson wrote:
> [snip]
>> I think that the document would say a series of things:
>>    The designers of X500/X509 intended X, but it turned out that this
>>    did not happen, and instead PKIX did Y.
>>
>> (One could substitute X=DN, Y=SAN for instance)
>>
>> I think that it is important for any new identity system to recognize what
>> forces pushed us away from the original vision.
>> We made engineering tradeoffs based upon time, code, bandwidth,
>> round-trips
>> and threats.   Not every such decision is still justified.
>>
>> So this requirements document would essentially be some kind of loving
>> criticism.
> Should this document also include the history of other PKIs, such as SPKI
> and/or OpenPGP's WoT?  I think it would be interesting to put an
> historical contrast on the visions behind the various methods/standards
> and perhaps try to document the reasons (if possible) that "market forces"
> took us in one direction vs another.
>
> -derek