Redundant Cert Mgmt Protocols
John Pawling <jsp <at> jgvandyke.com>
1998-02-02 18:50:42 GMT
The 28 Jan 98 S/MIME v3 Certificate Handling I-D, Sec 5 specifies
certificate request and response protocols which are redundant to those
specified as part of the PKIX Working Group Certificate Management Protocol
(CMP). Sec 5.2 specifies the use of SignedData encapsulating a CRMF object.
The CRMF object is harmonized with the PKIX WG, but the Service Indicators
described in Sec 126.96.36.199 and 188.8.131.52 are redundant to the information
contained in the PKIX CMP PKIHeader. Furthermore, Sec 5.6 specifies the use
of a degenerate signedData object as the S/MIME-mandatory response protocol.
This protocol is redundant to the CMP PKIHeader and certRepContent.
The IETF PKIX working group is developing a "harmonized",
application-independent, IETF standard set of cert mgmt protocols (see Dec
97 PKIX WG minutes). IMHO, if the S/MIME Certs I-D mandates any cert mgmt
protocols, then those protocols should be the "harmonized",
application-independent IETF standard protocols. If the S/MIME WG wishes
the Certs I-D to go to last call before the IETF "harmonized" protocols are
complete, then I recommend that all text should be removed from the Certs
I-D that mandates cert mgmt protocols. Once the "harmonized" IETF standard
protocols are completed, then a separate S/MIME WG spec could be drafted
which specifies the use of MIME to communicate CMS-protected "harmonized"
cert mgmt protocol messages.
I believe that it would be a mistake for the Certs I-D to mandate
S/MIME-specific cert mgmt protocols (including the degenerate signedData).
I believe that there are a significant number of organizations that would
like to build a common cert mgmt module (CCMM) that can serve all of the
various apps running on a workstation (see below). I believe that an IETF
standard cert mgmt protocol would make it much easier to develop a standard