[caops-wg] OCSP call 06 Feb 2006
Mike Helm
helm at fionn.es.net
Mon Feb 6 16:16:52 CST 2006
OCSP doc audio conference
2/6/2006 8:02:15 AM
Some sketchy minutes
Attendees: A Sill, Oscar M, J Luna, mwh, O Mulmo, R Cowles?
AI:
Oscar/Jesus will send text to the group, relaying
Chadwick's proxy revocation ideas;
mwh to incorporate above
O/J will send some more delta CRL - related text
to the group
Authorized responder detail (see below) -> doc
mwh will do new edit (probably Tue/Wed)
mwh will do slides about edits, send to group (Wed/Thu)
Decisions:
Ok to accept changes in current document - group will
continue to send comments to the list on current
content and changes.
Discussion:
Alan Sill: OCSP doc drifts into dangerous, authZ territory
mwh: Not too much - no viewpoint on certs. Do need authZ for
some service supporting proxy cert revocation and blacklisting;
not really a part of OCSP but part of the service provisioning
Oscar: Dave Chadwick thinks proxy rev might play a role in blacklisting;
make sure to distinguish between authentication & authorization functions;
more .... DC will introduce a validation service proposal of some kind
at GGF 16 in AuthZ WG.
O: [more] proxy cert revocation important but not authZ mechanism
Will send text to list
Discussion Delta crls
O: We have a demo service [model of how to produce & manage delta crl's]
O: cautionary period
Send to list how to define cautionary period
Is mwh's reading of delta crl standard & use correct?
[The certiver folks will send some material on this]
O: agree OCSP good way of managing delta crl's for clients
Discussion on 5.3 where we recommend [maybe, describe?] the use of
non CRL database - will send some requirements for this
Also expand to include CA w/ no delta CRLs
We agree w/ most of the document - ok to accept changes
and proceed to next rev
Question about Authorized Responder, and weaknesses of current CAs:
Many CAs are offline most of the time, and their hosting environment
may not be comfortable with a full-fledged 24 x 7 service such
as OCSP.
Olle: Auth OCPS responder can issue responder certs in batch -- will put in doc
Addresses one of these problems (the 99.999% uptime problem is out of
scope but will be noted).
mwh noted a possible GGF attendance problem; may not be present at Athens
after all. Will forward slide summary to CAOPS chairs & the group.
More information about the caops-wg
mailing list