[caops-wg] Encoding AIA in first-level Proxy Cert

Sun Jan 22 17:49:11 CST 2006

I will come back to this material in a little different way
later, but I wanted to address these points:

Jesus Luna writes:
> About this topic we would like to comment that -in analogy to non Grid 
> PKIs- revocation of a N-level Proxy Certificate should only be performed 
> by its Issuer (N-1 level entity, does not matter if it is an EEC or 
> another Proxy) *and* by any other entity up to the Root CA itself (that 
> is hierarchy levels  N-2...0). When a certificate is revoked, then their 
> issued certificates (again does not matter if EEC or Proxies) should be 
> considered revoked.

In DOEGrids ... I am not sure about every other IGTF PKI however ...
end entity certificates can revoke themselves. It's often done. For
instance, when a security issue arose at one site, several customers
revoked their own certificates until local problems were cleared up.

Why wouldn't we permit this idea to be extended to proxy certs?
That is, why shouldn't a proxy cert be permitted to revoke itself?
What conditions would speak against that?

> The "one-request" mechanism proposed in OGRO (embedding the whole Proxy 
> Cert Path in one OCSP Request ) could manage this proposal with some 
> modifications, because when the OCSP Response is received then it could 
> invalidate the Cert Path just below the certificate whose status is not 
> "Good".
> We have been exploring also the "direct Proxy revocation" method: when a 
> Proxy is destroyed or revoked for any other reason then an 
> "administrative" message is sent to the OCSP Service so the revocation 
> is done directly in its certificate status database. The authorization 
> checking on such admin message is based on a very simple system that 
> verifies if the issuer (message originator) is able to revoke such 
> credential (i.e. is part of the Certificate Path and can be found in any 
> level above the Certificate being revocated).This should be customizable 
> by the relying party, i.e. in a new rule of the Grid Validation Policy.
> Based on this, we don't think encoding the AIA into the Proxy 

Let's try to work thru some use cases.  This is surely an attractive
idea but I am not sure we can deal with all the corner cases.
More on this in another message (perhaps not directly tho).