On Oct 17, 2012, at 8:42 PM, Ryan Sleevi wrote: > On Wed, October 17, 2012 11:13 am, Tim Moses wrote: >> Colleagues - One of the premises of this initiative (perhaps the main >> premise) was that product developers would be willing to be governed by >> the results of an industry consensus process when it comes to handling >> certificates and acting on the results of certificate validation. That >> is, that developers would see value in claiming conformance to any >> resulting standard. For instance, suppose consensus were to emerge that >> certain certificate validation failures should be "fatal" (i.e. the >> associated application should refuse to perform the requested operation), >> would application developers be willing to modify their products >> accordingly? >> >> Nothing in the discussions on the list to date confirms or refutes the >> premise. I think it would be useful to hear from developers of relevant >> products how they would view the outcome of this type of IETF initiative. >> >> Thanks a lot. All the best. Tim. >> >> T: +1 613 270 3183 > > Tim, > > According to your current (third) charter proposal: > > "Future activities may attempt to prescribe how the Web PKI "should" work, > and the prescription may turn out to be a proper subset of the PKIX PKI. > However, that task is explicitly not a goal of the proposed working group. > Instead, the group's goal is merely to describe how the Web PKI > "actually" works in the set of browsers and servers that are in common use > today." > > This would suggest that the current work is not to the production of > normative work product for any of the participants in the "Web PKI", but > rather informative work. It seems like discussion about the introduction > of normative behaviours, for applications or for authorities, was > something that was explicitly being avoided, as discussed during the > scoping thread, until such a time as the WG had worked to produce > informative work. > > At present, I'm very supportive of the work set out in the proposed > charter, but further broadening the charter to include normative work may, > I fear, prevent the delivery of useful and relevant documentation that can > be used today.
It might turn out to be like a dictionary. Modern linguists write descriptive dictionaries, so "google" and "friend" become verbs, but then people use those dictionaries as the authority of what is correct usage. Similarly, if this descriptive work shows a disparity, like if certain validation failures are fatal in some browsers, but not in others, then the lenient browsers might be shamed into complying with the "best practice" as described in the descriptive work. _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
