Message info
To:Anders Rundgren From:Stefan Santesson Subject:Re: [pkix] Agenda requests for Paris Date:Sun, 18 Mar 2012 16:43:36 +0100


Do you have an A shaped teflon non-stick desk at your office?
I think it would suit your quite well.


On 12-03-18 4:30 PM, "Anders Rundgren" <> wrote:

>On 2012-03-18 12:15, Yoav Nir wrote:
>> Anders,
>> IMO "relevant" is whatever the group decides is relevant as long as the
>> IESG agrees. If you want the working group to do something, such as
>> devices with embedded credentials, you should propose this to the group.
>Once upon time there was a single enterprise OS standard; it was called
>Each vendor could easily create s.c. "Windows-compatible" solutions by a
>of proprietary DLLs and EXEs.
>These days are gone. Now customers are facing a multitude of mobile
>with quite different software distribution and security models.
>Currently I'm struggling with a mobile PKI + FW using Cisco's ASA +
>The absence of useful enrollment/setup standards in this space force you
>"rooted" phones, quirky user-interfaces, least common denominator
>and extended deployment times.
>Unless something in the process (and attitude) changes, I remain
>convinced that
>PKIX should stick to the PKI core and leave applications like EST aside.
>> A few years ago I had a proposal to IPsecME but couldn't attend. I
>>asked someone else who *was* attending to present it for me. I prepared
>>the slides and everything, and listened to the audio stream. While there
>>is work being done (see the vmeet list) that may allow people to present
>>remotely, results so far have been a mixed bag. Surely you can go to
>> , and find one of
>>the 1347 people listed there (as of right now) who might be interested
>>enough to present slides that you would prepare for him or her.
>> I don't think a time slot reserved for "discussion of the fact that
>>mobile devices with embedded credentials will most likely constitute of
>>the bulk of the client-side of PKI" will do much without a draft, a
>>presentation, or at the very least, someone to lead the discussion.
>> Yoav
>> -----Original Message-----
>> From: [] On Behalf Of
>>Anders Rundgren
>> Sent: 18 March 2012 11:38
>> To: Stefan Santesson
>> Cc:
>> Subject: Re: [pkix] Agenda requests for Paris
>> On 2012-03-18 01:45, Stefan Santesson wrote:
>>> Anders,
>>> You are missing the point.
>> Not really, I'm just looking at things from a different angle.
>> IMHO, "relevance" has become an overarching issue for SDOs due to the
>>fact that the IT-landscape has changed tremendously the last ten years:
>> - Continuously shorter product cycles
>> - Vendors that single-handedly define complete and globally operating
>>ecosystems, from devices to services
>> - Open source as a means to reduce costs and improve interoperability
>> Since "my" issue (affecting billions of other humans) obviously is not
>>of any interest to you or Steve, PKIX's future probably is about
>>managing the PKI core documents (Certificates, CRL and OCSP).
>> Thar said, new efforts in the more application-oriented part of the PKI
>>universe, like the recent EST work-item seems much less likely to pan
>>out since these require alien elements like strategy, marketing, and gap
>> OTOH, deployment given the current SCVP/OCSP discussions doesn't seem
>>to be a major issue. In my world deployment and relevance are
>> Yes, I know this is a minority view :-)
>> Anders
>>> You are free to discuss any issues that are related to the charter of
>>> this WG.
>>> If you want to discuss things with other IETFers, it is a great
>>> opportunity to come to the conference and talk to people.
>>> Just don't expect people to spend time discussing your issues at the
>>> meeting unless you are prepared to come and ask for a timeslot.
>>> /Stefan
>>> On 12-03-17 2:09 PM, "Anders Rundgren" <>
>>>> On 2012-03-17 13:32, Stefan Santesson wrote:
>>>>> Anders,
>>>>> It does not work that way, no matter how interesting your issue
>>>>> might be.
>>>> You mean that IETF statutes doesn't permit discussing possible future
>>>> work-items without a proposer actually being physically present?
>>>> Anyway, your college in the Swedish EID2-project Leif Johansson,
>>>> indeed mentioned the very same issue "as highly problematic" in a
>>>> panel session in the IDTrust/NSTIC event that we both attended this
>>>> week in Washington DC.
>>>> Somewhat related: From what I can see the rationale for EST haven't
>>>> been discussed at all on this list. I don't think even Cisco in the
>>>> end will support EST since it doesn't add functional improvements.
>>>> Even the target "Simple PKI client" seems to be left to the reader to
>>>> guess what it could possibly be. Do YOU know?
>>>> Anders
>>>>> If you want to raise an issue at the meeting, then you need to ask
>>>>> for a slot and show up at the meeting.
>>>>> If you can't be bothered, convince someone that will be present to
>>>>> do it for you.
>>>>> If you can't do that even, then discuss it on the list.
>>>>> /Stefan
>>>>> On 12-03-17 9:56 AM, "Anders Rundgren" <>
>>>>> wrote:
>>>>>> Stefan,
>>>>>> I will unfortunately not be able to attend.
>>>>>> May I suggest that the crowd spends some 10 minutes on discussing
>>>>>> how PKIX intends to deal with the fact that mobile devices with
>>>>>> embedded credentials will most likely constitute of the bulk of the
>>>>>> client-side of PKI?
>>>>>> Even the US government have realized (it took some time...) that
>>>>>> "Derived Credentials" is probably a better solution than "putting
>>>>>> PIV on a string":
>>>>>> 1_nis
>>>>>> t-
>>>>>> 800-63-1_overview_enewton.pdf
>>>>>> It is (at least to me) obvious that ambitious efforts such as
>>>>>> President Obama's NSTIC program won't go particularly far without
>>>>>> having secure, convenient, and interoperable enrollment solutions.
>>>>>> However, then we enter the minefield known as "Token Provisioning"
>>>>>> which
>>>>>> currently only is covered by proprietary solutions like the Google
>>>>>> Wallet.
>>>>>> Giving in to Google may though be the best for the market since a
>>>>>> leading vendor can (as Microsoft did in the past) indirectly
>>>>>> enforce the necessary "compliance" on the other parties.
>>>>>> The opportunity for a standard addressing 5-10 BILLION of connected
>>>>>> devices won't exist 3 years from now, at least if we are talking
>>>>>> about a *used* ditto.
>>>>>> If you are the daring type you might even perform a straw poll on
>>>>>> the topic :-)
>>>>>> Anders

pkix mailing list