[caops-wg] OCSP Teleconference 30 Jan 2006

Mike Helm helm at fionn.es.net
Tue Jan 31 09:44:41 CST 2006 

Sorry for the delay, but my afternoon filled up.  The notes
will be even sketchier as a result.  Please fix & fill in as
needed.

OCSP call 30 Jan 06 8 AM PT

Attendees: {?}  Oscar, Jesus, mwh, Olle, R Cowles, A Sill - ?

AI:
Oscar & Jesus will provide some "cons" to Mike's recent
  suggestions
Mike will incorporate recent suggestions, new text from
  O & L above, and update OCSP draft (+ add digest recommendations
  and some minor edits as time permits) for Mon 06 Feb
  (some additions "*" below)

Olle will set up another call same time same system (~8AM PT Mon 06 Feb)


Decisions:
Focus on pros & cons of proxy cert revocation management;
it is valuable to make general recommendations but recognize
further work and changes will take place
Don't develop any extra protocol or related specification
for this at this time
The general topic of cert validation is out of scope of this
document

Does anyone have text for the delegated proxy responder cert
   recommendation?

Discussion:


Q: is it necessary to revoke proxy certs
Owners should revoke only?

Gets messy from security pt of f view
OCSP gets complicated about registry.

* Will post recs/ objections
[If I can paraphrase: Oscar & Jesus' point of view is that the 
user - the holder of the EE X.509 cert - is the real "agent"
of proxy cert revocation, and focusing on this person is not too
hard, he can be authorized to register & revoke his cert.  But
allowing the proxy certs to revoke other proxies, and relying 
parties to do so, this is hard.

[Mike: One of the motivations for doing this doc, is that the relying parties
want a way to control their environment, they want a tool to limit
damage.  The proxy cert is not really (or not just) an identity cert, it is developing
authorization characteristics, and as such it seems to me at least that
both the owner & the resource owner share "jurisdiction" over the proxy
in use.  

[Yes this makes things very messy and we have to make sure the complexity
is understood well enough to avoid specifying an unsupportable service.]


Terena will disucss OCSP global service?
Did Tony talk about at EUGridPMA

Just talked about Validity service

Stand up large scale ocsp responder?

Should we do thru Terena?

[Apparently TERENA will discuss this next week?  Was there
a decision or AI here, I don't remember]

[The context here is that we seem to have a consensus that we need
one or more large scale, well known OCSP responders to act as
clearinghouses, gateways to other responders &c.  Some discussion
of how to do that/ fund it/ &c - really outside our scope, so:]

* Recommend PMA's stand up / support OCSP large scale responder?
Let's recommend to PMA; they can worry about practical details, funding, sponsoring

Olle - Validation service is 1 level up

O: David Groep's suggestion: delegate an OCSP usage as extended signing
Management signing
Include one more extension on the client side
Creates authorized responder
OCSP responder can deal with the cert as issued.
[That is issue response under multiple certs]
Not intended for today's proxy cert

[I think I am beginning to understand this ; this was in the 
slide deck at last GGF (see link earlier message) and must
have been mentioned at the previous one, altho I don't remember
it.  I think the core idea is to create a response from
an "Authorized" (see doc) responder for a proxy cert, as opposed
to the implied "Trusted" responder response.   We should recommend
that this capability be developed, but need text to explain it
clearly.]

[What are proxies?  How are they used?]
Limit vulnerability
   Constrained delegation
    Limited lifetime
There are long-lived services - resource brokers

O: punting on proxy certs & OCSP
M: need it

[This section is a return to earlier point, as more ppl got to the call]

O: need white/black list
Could be complement to OCSP

The mess comes from proxy certs revoking proxy certs
User could do it.

Problem is in rules & how authorized to revoke proxy certificates
Primarily it is up to users (Oscar & Jesus).

How to move information around?

Prepare recs, send 

Can meet Monday - same time.

[Bob Cowles also raised a point ... paraphrase something to the effect
of why do proxy revocation as opposed to some other kind of authorization
* disabling or user blocking.  I said something to the effect of, we can
provide a more targeted response, not eliminating a user's ability to 
do work, just the bad work; particularly important in Grid resources with
primitive or minimal authZ infrastructure. I'll check the doc for supporting
text.]

More information about the caops-wg mailing list