What are we trying to do?

[Edward Lewis <lewis@tislabs.com>]

What is the goal of this effort?

My opinion is that we are trying to provide a common means for applications
to distribute public keys amongst elements scattered across the
(inter)network.

I think applications like SSH, IPSEC, and a few others have some shared
needs.  Other applications, like email, have different needs.  (One
observation is that the first set do not need to archive keys, the latter
does.  Another is that the first set could rekey on a connection or session
basis, the latter doesn't rekey for a particular message.)  I would have
guessed that NTP would use keys much the same way as SSH and IPSEC, but NTP
uses certificates instead.  As far as other applications, I'd have to shrug
my shoulders at this point.  (In other words, I know I don't know much.)

The target service I see is key distribution, perhaps a touch of key
management, but far short of key generation, agreement, escrow, revokation,
etc.  PKI's have a whole lot of service requirements which I believe is
beyond our scope, further I think the requirements on PKIs are already
understood to some point of maturity and are addressed by the candidates
mentioned in another mail (PKIX, SPKI, PGP).

As we come to discover the common set of services needed, we will need to
study the applications for their use of keys and trust models.  During
these studies, I see us trying to codify unwritten rules (if not already
written).  I don't see us trying to modify or strengthen the security of
applications - as an explicit goal.

I think it is important to hear opinions on "what are we trying to
provide?"  If we don't discuss this first, we won't know when we are done.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

Opinions expressed are property of my evil twin, not my employer.