[cap-talk] Interesting PKIX posting

Tony Bartoletti azb at llnl.gov
Wed Jul 23 17:09:40 CDT 2008

Hello cap-talk folk,

Long a believer in the "self-reliant security" models, I just 
received the following posting to the IETF-PKIX WG mailing list, 
introducing potential support of a "PKC-only application security 
scheme" (PKC = PK Crypto) involving "no trusted certification 
authority"  (via a mechanism that defines "Meaningless" certificates 
for interoperability).  This is tantamount to sedition in the PKIX 
X.509 universe, no?

Interested in thoughts on its relative merits or interplay w/YURLs.

Cheers!   ____tony____

(Note: URLS and e-mail addys have embedded whitespace automatically 
added to prevent "easy" clicking on arbitrary email URLs.  So depressing ...)

The posting, by Thierry Moreau, Montreal Canada:

Dear all:

This is a two-fold announcement, big picture and specific document 
announcement. The whole thing is "for your information" as PKIX IETF 
wg participants.

A)	The big picture refers to the "PKC-only application security 
scheme", in which client-server applications may be secured with 
client-side public key pairs, but *no trusted certification 
authority* is involved (server operators are expected to maintain a 
trusted database of their clients' public keys).

B)	The specific document announcement refers to what is required to 
field the PKC-only application security scheme: explicit meaningless 
security certificates. The reference is "Explicit Meaningless X.509 
Security Certificates as a Specifications-Based Interoperability 
Mechanism", http:// www. connotech.com/pkc-only-meaningless-certs.pdf

This post leaves it to your imagination and creativity about how a 
PKC-only security scheme may work in practical details, i.e. how the 
third party trust management may be replaced by first party trust 
management (first party = server operator as the relying party for 
client public keys). I have been doing some work in this area, but I 
have no results to report in a properly written document. Anyway, the 
PKC-only security scheme does not imply significant standardization 
for interoperability among independent service operators.

The document is open for discussion. It covers the minimal provisions 
for PKC-only deployment in the installed base of browsers supporting 
the TLS protocol.

Sometimes in the future, a very reduced version might be prepared as 
an Internet draft intended to the RFC editor publication route 
(RFC3932) with the experimental status (this is different from the 
individual RFC submission route in which the IESG is involved in the 
document publication process but no IETF working group is assigned an 
editorial role).

Good reading.


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http:// www. connotech.com
e-mail: thierry.moreau at connotech.com

More information about the cap-talk mailing list