RV: [caops-wg] Re: Grid OCSP proposal

Mon May 9 12:37:07 CDT 2005

Hi All,
Sorry for the late response, but last week we were not in Barcelona. 
Comments to the last email are shown below in the original text and a 
DOCument with such changes is being attached.
Regards,
Oscar & Jesus

Milan Sova wrote:

>
> -- I've removed several occurrences of "suspend" and "suspended" basicly
>    in contexts like "revoked and suspended". IMO suspension is just a
>    special case of revocation.

Agree with you as Note 3 in page 5 already makes clear such difference 
and no additional remarks are then neccesary.

>
> -- Section 2, p.2
>    removed redundant "or invalidated" from "revoked or invalidated" in

OK

>
> -- corrected spelling of "openssl" to "OpenSSL" throughout the
>    document

OK

>
> -- removed (mostly my) comments from the document

OK

>
> -- Section 3, p.3:
>    Removed point about "establishing of authorized OCSP responders
>    between Grid CAs" being the way to achieve interoperability and
>    "trust relationships among Grid PKIs"
>    - it didn't make much sense to me

We have changed a little bit the original text as the spirit of such 
note is to make clear that a VO may integrate more than one CA an thus 
OCSP Authorized Responders are necesary.

>
> -- Section 3, p.3:
>    Removed point making requirements on the OCSP service provider
>    - I think it belongs into "Requirements" section.

To which point are you referring? We are kind of confused about it   :)

>
> -- Section 5.4, p.5:
>    crosslink to Section 4
>    removed "Another Responder discovery solution consist of
>    configuring a Global OCSP Redirector per domain in charge of
>    redirecting the relying party's OCSP request according to specified
>    parameters (i.e. OCSP load, network traffic, availability, etc.)."
>    - it is just a special case of a local trusted responder.

Also we have inserted a crosslink to 6.5 where the Global OCSP 
Redirector is first mentioned (to avoid redundance).

>
> -- Section 5.7
>    "Revoked with status Suspended or OnHold"
>       -> "...with revocationReason certificateHold..."

OK

>
> -- Section 6.2
>    Crosslink to Section 4

OK

>
> -- Section 6.6
>    reverted the section back to Olle's version. The modified version
>    did not make much sense to me

We have inserted a crosslink to 6.3 as a way to possibly use DeltaCRLs 
(Push Operation Mode) for managing Proxy Certificate Revocation. Even 
though we agree that such topic shall remain outside the scope of the 
document.

>
> -- Section 10
>    is empty - I didn't succeed to persuade my OpenOffice to get rid of 
> it ;(

We believe that what happen is that when opening the document with 
Microsoft Word the section numbers are rearranged so that section 10 
shows the following text (that we consider to be correct):

"According to our experience some Grid´s Relying Parties may need to 
define OCSP policies related to OCSP behavior as explained in this 
document. Such policies may include rules for dealing with OCSP Request 
and Responses (i.e. required signatures, required extensions, preferred 
OCSP responders, validation of OCSP Response freshness, responses 
caching, etc.) and can be parsed just once at initialization time (i.e. 
Proxy creation).
Finally, service providers implementing OCSP architectures based on Grid 
Services features like discovery and notification should also be 
considered as they may bring interesting advantages to this field."
.

>
> -- Section 11
>    I'm not sure whether the statement of OCSP policies and Grid
>    Services fits inot the document spirit...

We agree in deleting reference to Grid Services at this moment. However 
OCSP Policies proposal have the objective of "customizing" the behaviour 
of OCSP services in a Grid environment by defining several of the 
parameters mentioned in the document. At this time we are working in a 
prototype to show such convenience so when it is ready we may be able to 
send you the related information.

>
> -- Section 14
>    replaced the Authorized Responder definition by a citation form
>    RFC2560
>    - are we really going to have a Definitions section? If so, it
>      would probably look better if we include some more of them ;)

On a second thought this section can be deleted as the only definition 
was already mentioned in sections 4 and 8.1
Taking a closer look to the document we could not find another term 
suitable to fit as a "definition", however is someone else has a 
proposal it may be the time to talk about it.

>
>     Regards
>
By the way, we have a couple of additional questions more or less 
related with such document:
-On the GGF 14, is the CAOPS-WG planning to present some kind of talk or 
meeting about this document? We may have read something about if in the 
minutes from GGF 13, but were not sure...
-We are about to finish some testing of the integration of our OCSP 
classes into the Jglobus libraries, so we may use them into the GT4 Java 
Core and Proxy Init routines. Do you know any existing Grid 
benchmarks/loadtest environments/simulators that can be used to perform 
such testings? Any suggestions?

-- 

____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OCSP_Requirements_for_Grids_ms_ReplyOM_JLUNA.doc
Type: application/msword
Size: 204288 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20050509/13109367/attachment.doc 