On Oct 17, 2012, at 8:42 PM, Ryan Sleevi wrote:
On Wed, October 17, 2012 11:13 am, Tim Moses wrote:
Colleagues - One of the premises of this initiative (perhaps the main
premise) was that product developers would be willing to be governed by
the results of an industry consensus process when it comes to handling
certificates and acting on the results of certificate validation. That
is, that developers would see value in claiming conformance to any
resulting standard. For instance, suppose consensus were to emerge that
certain certificate validation failures should be fatal (i.e. the
associated application should refuse to perform the requested operation),
would application developers be willing to modify their products
accordingly?
Nothing in the discussions on the list to date confirms or refutes the
premise. I think it would be useful to hear from developers of relevant
products how they would view the outcome of this type of IETF initiative.
Thanks a lot. All the best. Tim.
T: +1 613 270 3183
Tim,
According to your current (third) charter proposal:
Future activities may attempt to prescribe how the Web PKI should work,
and the prescription may turn out to be a proper subset of the PKIX PKI.
However, that task is explicitly not a goal of the proposed working group.
Instead, the group's goal is merely to describe how the Web PKI
actually works in the set of browsers and servers that are in common use
today.
This would suggest that the current work is not to the production of
normative work product for any of the participants in the Web PKI, but
rather informative work. It seems like discussion about the introduction
of normative behaviours, for applications or for authorities, was
something that was explicitly being avoided, as discussed during the
scoping thread, until such a time as the WG had worked to produce
informative work.
At present, I'm very supportive of the work set out in the proposed
charter, but further broadening the charter to include normative work may,
I fear, prevent the delivery of useful and relevant documentation that can
be used today.
It might turn out to be like a dictionary. Modern linguists write descriptive
dictionaries, so google and friend become verbs, but then people use those
dictionaries as the authority of what is correct usage.
Similarly, if this descriptive work shows a disparity, like if certain
validation failures are fatal in some browsers, but not in others, then the
lenient browsers might be shamed into complying with the best practice as
described in the descriptive work.
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops