To:
Rodney Thayer <rodney@tillerman.to>
Cc:
keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Sat, 29 Dec 2001 16:04:21 +0100
Delivery-Date:
Sat Dec 29 16:06:44 2001
In-Reply-To:
<5.1.0.14.2.20011228151130.03046e78@127.0.0.1> (Rodney Thayer'smessage of "Fri, 28 Dec 2001 15:12:51 -0800")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.1 (i686-pc-linux-gnu)
Subject:
Re: What are we trying to do?
Rodney Thayer <rodney@tillerman.to> writes: > At 04:17 PM 12/28/2001 +0100, Simon Josefsson wrote: >>PKI (in the PKIX sense) is a different beast than application keys, >>and I agree there hasn't been much interest in that area. Perhaps >>focusing on applications keys for SSH, IPSEC and possibly PGP as the >>first step would generate some momentum. > > I disagree. PKIX is ONLY application keys. It's intended to be used > by TLS applications, IKE (the APPLICATION part of IPSEC), SMIME (email > applications) and probably some others. I meant that the term "PKI" as defined by PKIX involve quite alot that is not under consideration here. I would say that storing PKIX certificate in DNS (possibly via a reference stored in DNS) is not even part of the PKI model according to PKIX. DNS could perhaps be a new box to the left of the "Certificate & CRL Repository", suitable for some specific applications (IPSEC, SSH, PGP/SMIME, ...), in the picture below. Calling application keys in DNS a "PKI" is confusing. +---+ | C | +------------+ | e | <-------------------->| End entity | | r | Operational +------------+ | t | transactions ^ | i | and management | Management | f | transactions | transactions PKI | i | | users | c | v | a | ======================= +--+------------+ ============== | t | ^ ^ | e | | | PKI | | v | management | & | +------+ | entities | | <---------------------| RA |<----+ | | C | Publish certificate +------+ | | | R | | | | L | | | | | v v | R | +------------+ | e | <------------------------------| CA | | p | Publish certificate +------------+ | o | Publish CRL ^ ^ | s | | | Management | i | +------------+ | | transactions | t | <--------------| CRL Issuer |<----+ | | o | Publish CRL +------------+ v | r | +------+ | y | | CA | +---+ +------+ Figure 1 - PKI Entities