[caops-wg] "accredit" and branding

Mike Helm helm at fionn.es.net
Fri Jul 1 18:27:29 CDT 2005 

I wanted to talk more about TAGPMA charter use of the word "accredit"
as well as "certify", and the related discussion yesterday.
Maybe we're really talking about a branding scheme.

I thought of accredit as being a heavyweight process, with certification
as one of the components - I was involved in a couple of higher ed
accreditation processes a long time ago & I think that's how they 
were structured.   Dictionary use and net use seem synonymous.  There
seems to be ISO definitions of them for IT/info sec use (one is ISO 17799;
you figure it out -- there's a  freebie here: http://iso-17799.safemode.org).

Accreditation is the process, and certification is the signed statement
that results (my drastic paraphrase).  Another paraphrase would be that
accreditation grants the entity the authority to do something, 
and the certification is a formal written statement to that effect, with
lifetimes, and perhaps other attributes.  In other domains, an effort is
made to distinguish between approval and capability, and accreditation is
focused more on measures of quality and conformance to standards rather
than authority to operate.  I think this is closer to what we do in fact.

The document that David Groep mentioned (& wrote?) is here:
http://www.eugridpma.org/guidelines/EUGridPMA-accreditation-20040402-1-0.pdf
This does describe a process, which is more or less
submission - initial doc review - personal appearance and "defense" -
final edit - enrollment

There's no formal certification, unless publishing in the directory counts.
In a bridge scenario the cross-certificate would be one kind of certification.

I tried to find the OSG letter to the PMA's, I had to settle on one of the
drafts due to lack of time.  In part, it says

	1) We request that you utilize or develop accepted standard 
	accreditation profiles sufficient to assure approximate parity in CAs 
	operating to that profile. We ask that each of you perform peer reviews 
	on CAs within your region to categorize CAs by profile.

Maybe we'd be better served here by talking about branding in the
same context.   For a long time, the EDG was the gold standard for 
Grid CA's.  That was the only "brand" that mattered.  It is still strong,
but things are more complicated now.  We also have relying parties, grid
coalitions or whatever, like OSG, Teragrid, that want some kind of accreditation
(that is they want to outsource as much of the work of CA approval as possible).

Let's stick with the generally accepted meanings of certify and accredit.
Any discussion about process uses them synonymously, and certification is
some kind of publication step at the conclusion of the accreditation process
(perhaps optional).

It seems like there are 2 things that can be "accredited": providers, like CA's, 
and profiles.  The latter seems more like a standard of some sort to me.
Perhaps these should be managed by a standards body like GGF.  
Regional PMA's could chose which ones it could accredit providers
agains, based on needs and expertise, and perhaps support others.
Perhaps there should also be some kind of null profile and or experimental
profile for providers falling outside the published profiles.

There are 3 kinds of branding that could be done.
One is locally approved that is
CA X is TAGPMA - classic pki profile accredited
One is IGTF approved that is
CA X  is IGTF  - classic pki profile accredited
and one is relying party approved  that is
CA X is Teragrid classic pki profile accredited

The 2nd is what we are doing.  But this seems unwieldy since there may
be a questions raised by a certification done by some regional body outside
its territory (ie what value did it add).   I think emphasizing up the "IGTF"
brand is better than building up the regional.  The relying party brand is
stronger, since these are recognized entities, but they have their limits.
ALso, we don't want to just be their slaves; this has unintended consequences
when different consortia have colliding requirements.   On the other hand,
EDG - approved sure was important.

The EDG/EUgridpma min req profile, the one we call classic, is clearly
one that could be an IGTF branded, since all the regional PMAs are
committed to this profile and there are many instances.

I don't think the IGTF brand and certainly not the TAGPMA brand 
are strong enough on their own yet.   Maybe it is appropriate for
the time being to take up the job of being evaluators for significant
Grid projects, and working out a set of guidelines to apply in
evaluating CA's.  For example, OSG might say that it would accept
any profile, but the following 5 things must be true {....}; in
return, it would allow TAGPMA to say a CA was "OSG accredited",
if TAGPMA's accreditation process indicated that these things were 
true about an applying CA. TAGPMA might apply its own branding by
saying that any of {LCG accredited, OSG accredited, NFC accredited ...} 
constituted TAGPMA accreditation.

For ITGF branding to work, the process for each regional would have to 
be somewhat normalized or accredited also.  So for example "ITGF classic PKI"
might require that the EUGridPMA accreditation process above 
be adopted.  It might also be useful to make this an open process
that is representatives from one regional might help various steps
in another regional's accreditation process.  Document review particularly
is something that can be done anywhere in the world at any time.


Conclusion: accredit = certify; an actual "certification" step might be useful;
make the profiles a standards body product; build brands like IGTF; 
normalize process steps to build that brand; rely on big grid branding
to build up regional brand, but don't get shackled to a particular project

More information about the caops-wg mailing list