KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Rodney Thayer <rodney@tillerman.to>
Cc: keydist@cafax.se
From: Simon Josefsson <simon+keydist@josefsson.org>
Date: Sat, 29 Dec 2001 16:04:21 +0100
Delivery-Date: Sat Dec 29 16:06:44 2001
In-Reply-To: <5.1.0.14.2.20011228151130.03046e78@127.0.0.1> (Rodney Thayer'smessage of "Fri, 28 Dec 2001 15:12:51 -0800")
Sender: owner-keydist@cafax.se
User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.1 (i686-pc-linux-gnu)
Subject: Re: What are we trying to do?

Rodney Thayer <rodney@tillerman.to> writes:

> At 04:17 PM 12/28/2001 +0100, Simon Josefsson wrote:
>>PKI (in the PKIX sense) is a different beast than application keys,
>>and I agree there hasn't been much interest in that area.  Perhaps
>>focusing on applications keys for SSH, IPSEC and possibly PGP as the
>>first step would generate some momentum.
>
> I disagree.  PKIX is ONLY application keys.  It's intended to be used
> by TLS applications, IKE (the APPLICATION part of IPSEC), SMIME (email
> applications) and probably some others.

I meant that the term "PKI" as defined by PKIX involve quite alot that
is not under consideration here.  I would say that storing PKIX
certificate in DNS (possibly via a reference stored in DNS) is not
even part of the PKI model according to PKIX.  DNS could perhaps be a
new box to the left of the "Certificate & CRL Repository", suitable
for some specific applications (IPSEC, SSH, PGP/SMIME, ...), in the
picture below.

Calling application keys in DNS a "PKI" is confusing.

       +---+
       | C |                       +------------+
       | e | <-------------------->| End entity |
       | r |       Operational     +------------+
       | t |       transactions          ^
       | i |      and management         |  Management
       | f |       transactions          |  transactions        PKI
       | i |                             |                     users
       | c |                             v
       | a | =======================  +--+------------+  ==============
       | t |                          ^               ^
       | e |                          |               |         PKI
       |   |                          v               |      management
       | & |                       +------+           |       entities
       |   | <---------------------|  RA  |<----+     |
       | C |  Publish certificate  +------+     |     |
       | R |                                    |     |
       | L |                                    |     |
       |   |                                    v     v
       | R |                                +------------+
       | e | <------------------------------|     CA     |
       | p |   Publish certificate          +------------+
       | o |   Publish CRL                     ^      ^
       | s |                                   |      |  Management
       | i |                +------------+     |      |  transactions
       | t | <--------------| CRL Issuer |<----+      |
       | o |   Publish CRL  +------------+            v
       | r |                                      +------+
       | y |                                      |  CA  |
       +---+                                      +------+

                          Figure 1 - PKI Entities

Follow-Ups:
- Re: What are we trying to do?
  - From: Randy Bush <randy@psg.com>

References:
- Re: What are we trying to do?
  - From: Randy Bush <randy@psg.com>
- Re: What are we trying to do?
  - From: Randy Bush <randy@psg.com>
- Re: What are we trying to do?
  - From: David Conrad <david.conrad@nominum.com>
- Re: What are we trying to do?
  - From: Rodney Thayer <rodney@tillerman.to>

Prev by Date: Re: What are we trying to do?
Next by Date: Re: What are we trying to do?
Prev by thread: Re: What are we trying to do?
Next by thread: Re: What are we trying to do?
Index(es):
- Date
- Thread

Home | Date list | Subject list