IETF Logo Mail Archive

RE: [TLS] Please discuss: draft-housley-evidence-extns-00<

"Peter Williams" <home_pw@msn.com> Mon, 29 January 2007 22:45 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HBfFY-0003BW-1e; Mon, 29 Jan 2007 17:45:20 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HBfFW-0003BQ-MD for tls@ietf.org; Mon, 29 Jan 2007 17:45:18 -0500
Received: from bay0-omc3-s13.bay0.hotmail.com ([65.54.246.213]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HBfFV-0005b3-9P for tls@ietf.org; Mon, 29 Jan 2007 17:45:18 -0500
Received: from hotmail.com ([65.55.131.15]) by bay0-omc3-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 29 Jan 2007 14:45:16 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 29 Jan 2007 14:45:16 -0800
Message-ID: <BAY126-DAV559B3502B45CD7EED944A92A70@phx.gbl>
Received: from 207.68.174.144 by BAY126-DAV5.phx.gbl with DAV; Mon, 29 Jan 2007 22:45:13 +0000
X-Originating-IP: [207.68.174.144]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: Peter Williams <home_pw@msn.com>
Date: Mon, 29 Jan 2007 14:45:13 -0800
thread-index: AcdD9Wn6XKfTUfckQMejO/iMYZI5dw==
Thread-Topic: [TLS] Please discuss: draft-housley-evidence-extns-00<
X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlK3oXsmRrh6gU=
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by bay0-mc7-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Mon, 29 Jan 2007 12:03:53 -0800,from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id VAA10186; Mon, 29 Jan 2007 21:03:47 +0100 (MEZ)
Subject: RE: [TLS] Please discuss: draft-housley-evidence-extns-00<
To: martin.rex@sap.com
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
In-Reply-To: <BAY126-DAV19437672566CEEAE2D22B92A70@phx.gbl> from "home_pw@msn.com" at Jan 29, 7 10:28:32 am
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
X-SAP: out
X-OriginalArrivalTime: 29 Jan 2007 20:03:53.0953 (UTC) FILETIME=[9A0B8510:01C743E0]
X-Spam-Score: 4.2 (++++)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

all i can really do to respond to that, apart from arguing too recent history, is to cite my actual operational choices today.

i have about 100 users a second doing federated logon, using saml blob exchanged between the two endpoint. Today, i sign/verify the saml using xmldig, as it makes an evidentiary record. I could configure the servers to use tls to exchange the same saml blob, unsigned. But today i lose the evidentiary semantics that the xmldig handshake adds to my audit trail.

if i had tls evidence, i could use the tls variant binding, passing the saml blob in a ticket (peter's solution, today, leveraging existing stds) or in a tls evidence exchange of some form, tomorrow.


-----Original Message-----
From:	"Martin Rex" <martin.rex@sap.com>
Sent:	Monday, January 29, 2007 8:03 PM
To:	"home_pw@msn.com" <home_pw@msn.com>
Cc:	"martin.rex@sap.com" <martin.rex@sap.com>, "tls@ietf.org" <tls@ietf.org>
Subject:	Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

home_pw@msn.com wrote:
> 
> We cannot stop the experimenting. And should not try. Yes, 
> there are lots of hidden agendas. What's new? They didn't 
> stop us transforming PEM into the full spectrum key 
> management world(s) that SSL now enjoys, did they?

But that is very far from what really happened.

The IETF didn't transform PEM into PKI.  SPKI was an IETF approach,
but it seemed to have died down (OpenPGP and SSH do their own formats).

What happened was, that after the OSI communication protocols had
failed miserably in the marketplace, many of the participants of
the OSI/ISO standards organization started staffing IETF working
groups and with pretty complete Proposals (X.509, SSL, S/Mime)
and tried to prevent the IETF from killing further of their existing
work as well.

A lot of stuff in PKI X.509 is complex bloat and burden, and impairs
interoperability for political or business model purposes, and not
for its technical merit.

One of the cumbersome legacy problems resulting from this approach are
the X.500 distinguished names, which are equally unusable for humans
and software.

The XMLsig guys seemed to have realized that problem too far down the road
(stringified distinguished names may be pretty to look at, but close to a
dead-end road for futher PKI processing), so the SubjectKeyIdentifiers
had to be invented and retrofitted later.

-Martin


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email