[caops-wg] OCSP requirements - final(?) version uploaded

Jesus Luna jluna at ac.upc.edu
Fri May 27 07:03:32 CDT 2005 

Hi,
After reading the document I've only a few comments:
* The header has something like "Jesus Luna, UAB". Could you please 
change it to "Jesus Luna, UPC" as I'm at the Universitat Politecnica de 
Catalunya :)

* BTW Authors affiliation (section 10) for Oscar and myself are:
Oscar Manso
CertiVeR
Diputacion 238 1o 4a. Barcelona
Spain
email: o.manso at certiver.com

Jesus Luna
Universitat Politecnica de Catalunya
Jordi Girona 1-3, D6 116. Barcelona
Spain
email: jluna at ac.upc.edu

* In section 2 (former section 3) the following text was removed: 
"Grid’s Virtual Organizations may contain more than one CA, so 
establishment of OCSP Authorized Responders between them is essential to 
provide an interoperable service." When we proposed such change we were 
thinking in the importance of highlighting the co-existence of multiples 
CAs into the same VO as a practical challenge for Grid OCSP. What do you 
think?

* We noted that references to "Global Redirector Mode" (former section 
6.5) were integrated into section 5.4 (current document) as "central 
redirector". That was an appropiate change as it defines very well the 
idea behind this concept, good! :)

* Page 7, section 5.5: the paragraph suggesting the use of Delta CRLs to 
obtain Proxy Certificate´s status has been deleted ("Another option 
refers to using OCSP in a Push Operation Mode as mentioned in section 
6.3, where relying parties SHOULD obtain revocation information through 
its OCSP service provider as soon as it is updated by the corresponding 
CA through Delta-CRLs"). Only as a way to let the reader know about this 
possibility, don't you think that it is worth to keep?

* In section "7. OCSP Service Architecture" we have a couple of 
suggestions:
--In the last paragraph on page 9 we propose to clarify the text 
"...incoming OCSP request in turn copied by the OCSP client from the 
subscriber certificate that is currently being validated." changing it 
with the following "...incoming OCSP request specified by the client 
according to the AIA extension in the certificate that is currently 
being validated".

--In the second paragraph on page 10 the text "...may join efforts and 
set up a shared Trusted responder that serves requests on behalf on all 
of the CAs", from our point of view if a set of CAs will trust in a 
Responder then it becomes an Authorized Responder. That is because by 
definition the CA does not *trust* in a Trusted Responder (in fact is 
the User who *trusts* in such Trusted Responder) . Because is the CA 
which *trusts* in the Authorized Responder we propose to modify the 
original text with: "...may join efforts and set up a shared Authorized 
responder that serves requests on behalf on all of the CAs". The "Note" 
right after the original text should be kept as it defines precisely the 
*trust* relation between PMAs and OCSP responders.

*We have been analyzing the new diagram in figure 1 and we find that we 
would need to clarify the trust relationships among the different 
components that are presented. For this reason, we suggest that in 
section 7 we could add a couple of lines to definitions 7.1 and 7.2 
referring to "trust relationships" between User-Trusted 
Responder-Authorized Responder-CA, which may help to justify the 
architecture (figure 1):
-- At then end of definition 7.1: "The CA trusts in the Authorized 
Responder as a source of status information for the certificates of its 
own hierarchy . On the other hand, if the Client does not trust such 
hierarchy then it will not trust in such Authorized Responder".
-- At the end of denifition 7.2: "The User trusts in the Trusted 
Responder as a source of status information for the CAs hierarchies 
which it has configured. However these CAs will not implicetly trust in 
such Trusted Responder".
If these two points require further discussion, we suggest to ommit them 
from the document and discuss them during the GGF14 meeting.

Best regards and we'll be looking forward for your comments,
Oscar & Jesus

Olle Mulmo wrote:

> All,
>
> I cleaned up the document and resolved some of the outstanding issues. 
> Tracking was too hard to keep around (too many changes) so I removed 
> those.
>
> Note that document submission for GGF14 is tomorrow. I would request 
> that the members of this list read through the document NOW (yes, 
> prior to the meeting), and bring up any comments on the document on 
> this list, ideally so that we can go to GGF14 with the document in WG 
> last call.
>
> The document can be obtained at
>
> https://forge.gridforum.org/projects/caops-wg/document/ 
> OCSP_requirements_for_Grids/en/1
>
> A PDF rendering is attached for your convenience.
>
> /Olle
>


-- 

____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu

More information about the caops-wg mailing list