Re: Evaluation: draft-ietf-pkix-pi - Internet X.509 Public Key Infrastructure Permanent Identifier to Proposed Standard

[Harald Tveit Alvestrand <harald@alvestrand.no>]

--On torsdag, april 24, 2003 15:33:05 -0400 Russ Housley 
<housley@vigilsec.com> wrote:

> Leslie:
>
> I have little experience with URIs, and I would be please to provide
> constructive feedback to the authors in this area.  In fact, I would be
> fine with limiting the authority name to an OID.
>
> What do others on the IESG think?
1) some people feel uncomfortable around OID. For one thing, there's no 
"authorized" way of getting to know anything more about them than the 
values of their numbers, and the numbers give no hint of their identity.

2) some people feel uncomfortable around URIs. Their content is much too 
subject to various interpretations and abuses for comfort, and people make 
sometimes-unreasonable guesses based on the strings embedded therein.

So the situation is kind of symmetrical....

I think the document needs to set either definite rules or no rules for the 
URI; ie either something like

 If the interpretation of the URI changes, all certificates using this
 URI may be invalidated. This argues for using a stable URI. How to
 achieve stability is not described here.

or go into gory details about it (said gory details being beyond my 
competence to write).

If we leave the URI off the spec, we'll never get it back - at least not in 
this extension. And I think that would require another round through the 
working group - I assume it's there because someone desperately wants it?

               Harald