[caops-wg] OCSP & Proxy Certs

[Mike Helm]

Mike Helm writes:
> Let me list some assumptions and characteristics of
> proxy certs, and related services (please correct and

Bob Cowles at the OSG Consortium security meeting today
mentioned another possible OCSP - short term proxy cert
configuration that I should make you aware of. 

The idea here is that proxy cert lifetime be extended
longer and longer, perhaps becoming indistinguishable from
short term certs or even long term certs.  Then use a
revocation mechanism like OCSP to kill them when absolutely
necessary (more typically, drop authorization privileges,
but as a practical matter it's not yet completely clear how
that is to be done).

I think that this case is or can be covered by the spectrum
of OCSP scenarios we already have, but maybe Bob or others
can look at the document and test it against their proposal.
It also shades into some of the ideas that some of us have
been discussing for a full fledged validation service, a 
topic we can take up elsewhere.

Bob Cowles mentioned
this to me recently (maybe Boston GGF) or at least some
version of it but I don't know that either one of us 
mentioned it in this group before.

Thanks, ==mwh
Michael Helm
ESnet/LBL