RV: [caops-wg] Re: Grid OCSP proposal
Jesus Luna
jluna at ac.upc.edu
Mon May 9 12:37:07 CDT 2005
Hi All,
Sorry for the late response, but last week we were not in Barcelona.
Comments to the last email are shown below in the original text and a
DOCument with such changes is being attached.
Regards,
Oscar & Jesus
Milan Sova wrote:
>
> -- I've removed several occurrences of "suspend" and "suspended" basicly
> in contexts like "revoked and suspended". IMO suspension is just a
> special case of revocation.
Agree with you as Note 3 in page 5 already makes clear such difference
and no additional remarks are then neccesary.
>
> -- Section 2, p.2
> removed redundant "or invalidated" from "revoked or invalidated" in
OK
>
> -- corrected spelling of "openssl" to "OpenSSL" throughout the
> document
OK
>
> -- removed (mostly my) comments from the document
OK
>
> -- Section 3, p.3:
> Removed point about "establishing of authorized OCSP responders
> between Grid CAs" being the way to achieve interoperability and
> "trust relationships among Grid PKIs"
> - it didn't make much sense to me
We have changed a little bit the original text as the spirit of such
note is to make clear that a VO may integrate more than one CA an thus
OCSP Authorized Responders are necesary.
>
> -- Section 3, p.3:
> Removed point making requirements on the OCSP service provider
> - I think it belongs into "Requirements" section.
To which point are you referring? We are kind of confused about it :)
>
> -- Section 5.4, p.5:
> crosslink to Section 4
> removed "Another Responder discovery solution consist of
> configuring a Global OCSP Redirector per domain in charge of
> redirecting the relying party's OCSP request according to specified
> parameters (i.e. OCSP load, network traffic, availability, etc.)."
> - it is just a special case of a local trusted responder.
Also we have inserted a crosslink to 6.5 where the Global OCSP
Redirector is first mentioned (to avoid redundance).
>
> -- Section 5.7
> "Revoked with status Suspended or OnHold"
> -> "...with revocationReason certificateHold..."
OK
>
> -- Section 6.2
> Crosslink to Section 4
OK
>
> -- Section 6.6
> reverted the section back to Olle's version. The modified version
> did not make much sense to me
We have inserted a crosslink to 6.3 as a way to possibly use DeltaCRLs
(Push Operation Mode) for managing Proxy Certificate Revocation. Even
though we agree that such topic shall remain outside the scope of the
document.
>
> -- Section 10
> is empty - I didn't succeed to persuade my OpenOffice to get rid of
> it ;(
We believe that what happen is that when opening the document with
Microsoft Word the section numbers are rearranged so that section 10
shows the following text (that we consider to be correct):
"According to our experience some Grid´s Relying Parties may need to
define OCSP policies related to OCSP behavior as explained in this
document. Such policies may include rules for dealing with OCSP Request
and Responses (i.e. required signatures, required extensions, preferred
OCSP responders, validation of OCSP Response freshness, responses
caching, etc.) and can be parsed just once at initialization time (i.e.
Proxy creation).
Finally, service providers implementing OCSP architectures based on Grid
Services features like discovery and notification should also be
considered as they may bring interesting advantages to this field."
.
>
> -- Section 11
> I'm not sure whether the statement of OCSP policies and Grid
> Services fits inot the document spirit...
We agree in deleting reference to Grid Services at this moment. However
OCSP Policies proposal have the objective of "customizing" the behaviour
of OCSP services in a Grid environment by defining several of the
parameters mentioned in the document. At this time we are working in a
prototype to show such convenience so when it is ready we may be able to
send you the related information.
>
> -- Section 14
> replaced the Authorized Responder definition by a citation form
> RFC2560
> - are we really going to have a Definitions section? If so, it
> would probably look better if we include some more of them ;)
On a second thought this section can be deleted as the only definition
was already mentioned in sections 4 and 8.1
Taking a closer look to the document we could not find another term
suitable to fit as a "definition", however is someone else has a
proposal it may be the time to talk about it.
>
> Regards
>
By the way, we have a couple of additional questions more or less
related with such document:
-On the GGF 14, is the CAOPS-WG planning to present some kind of talk or
meeting about this document? We may have read something about if in the
minutes from GGF 13, but were not sure...
-We are about to finish some testing of the integration of our OCSP
classes into the Jglobus libraries, so we may use them into the GT4 Java
Core and Proxy Init routines. Do you know any existing Grid
benchmarks/loadtest environments/simulators that can be used to perform
such testings? Any suggestions?
--
____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OCSP_Requirements_for_Grids_ms_ReplyOM_JLUNA.doc
Type: application/msword
Size: 204288 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20050509/13109367/attachment.doc
More information about the caops-wg
mailing list