[caops-wg] OCSP call 06 Feb 2006

Mike Helm helm at fionn.es.net
Mon Feb 6 16:16:52 CST 2006 

OCSP doc audio conference
2/6/2006 8:02:15 AM

Some sketchy minutes
Attendees: A Sill, Oscar M, J Luna, mwh, O Mulmo, R Cowles?

AI:
Oscar/Jesus will send text to the group, relaying
Chadwick's proxy revocation ideas; 
mwh to incorporate above
O/J will send some more delta CRL - related text
to the group
Authorized responder detail (see below) -> doc
mwh will do new edit (probably Tue/Wed)
mwh will do slides about edits, send to group (Wed/Thu)

Decisions:
Ok to accept changes in current document - group will
continue to send comments to the list on current
content and changes.


Discussion:
Alan Sill: OCSP doc drifts into dangerous, authZ territory
mwh: Not too much - no viewpoint on certs.  Do need authZ for 
  some service supporting proxy cert revocation and blacklisting;
  not really a part of OCSP but part of the service provisioning

Oscar: Dave Chadwick thinks proxy rev might play a role in  blacklisting; 
make sure to distinguish between authentication & authorization functions;
more .... DC will introduce a validation service proposal of some kind 
at GGF 16 in AuthZ WG.
O: [more] proxy cert revocation important but not authZ mechanism

Will send text to list

Discussion Delta crls

O: We have a demo service [model of how to produce & manage delta crl's]

O: cautionary period
Send to list how to define cautionary period
Is mwh's reading of delta crl standard & use correct?

[The certiver folks will send  some material on this]

O: agree OCSP good way of managing delta crl's for clients
Discussion on 5.3  where we recommend [maybe, describe?] the use of 
 non CRL database   - will send some requirements for this
Also expand to include CA w/ no delta CRLs

We agree w/ most of the document - ok to accept changes
and proceed to next rev

Question about Authorized Responder, and weaknesses of current CAs:
Many CAs are offline most of the time, and their hosting environment
may not be comfortable with a full-fledged 24 x 7 service such 
as OCSP.

Olle: Auth OCPS responder can issue responder certs in batch -- will  put in doc
Addresses one of these problems (the 99.999% uptime problem is out of 
scope but will be noted).

mwh noted a possible GGF attendance problem; may not be present at Athens 
after all.  Will forward slide summary to CAOPS chairs & the group.

More information about the caops-wg mailing list