Voucher Trading System Application Programming Interface (VTS-API)
RFC 4154

Note: This ballot was opened for revision 06 and is now closed.

(Russ Housley) (was Abstain) Discuss

Discuss (2005-02-03)
  An IESG note is needed.
Comment (2005-02-01)
No email
send info
  I agree with the comments that Ted Hardie made about the text in the
  Security Considerations.

  The IETF does not have a good track record with standards that specify
  APIs.  This document goes a bit further, and it assumes an architecture
  where plug-ins are used.  This narrows the applicability of the API,
  which may be useful or it may completely eliminate any audience for the
  API in a few years.  I doubt that anyone can accurately guess that one.

(Scott Hollenbeck) Yes

(Allison Mankin) No Objection

Comment (2005-02-03)
No email
send info
Given the concerns over the implementation-dependent
security, may I suggest an IESG note stating that this document
is passed with strong reservations about the design
decision to omit specific security functions from the API.

(Ted Hardie) Abstain

Comment (2005-01-31)
No email
send info
The document says this:

   This document assumes that the VTS plug-in is trusted by its user.
   The caller application of a VTS should authenticate the VTS plug-in
   and bind it securely using the VTS Provider information specified in
   the Voucher Component.  This document, however, does not specify any
   application authentication scheme and it is assumed to be specified
   by other related standards.  Until various VTS systems are deployed,
   it is enough to manually check and install VTS plug-ins like other
   download applications.

Given the state of the wg, I won't block on this, but I think this is
yet another case of a "half a bridge" specification, where the security
criticically depends on the half of the bridge that isn't built and won't
be by the WG.  In those cases, when people start driving over the bridge, the fact we put
up a few signs at the end aren't going to be much comfort.

(Sam Hartman) Abstain

Comment (2005-02-02)
No email
send info
I have the same concerns as ted and Russ.