[caops-wg] Re: AuthN CA middleware support [caops-wg Draft Agenda]

Mike Helm helm at fionn.es.net
Thu May 11 09:50:52 CDT 2006 

"Jensen, J \(Jens\)" writes:
> I think we need an IGTF working group on this.  We need to get
> requirements from the RPs as well.  At the TAGPMA meeting,

Some of us have been thinking about this for quite a while - 
we have a mailing list for it, validity at es.net, and if
you want to bring some of your ideas to it that would
be very welcome.  

        email to: listserver at listmin.es.net
        subject: subscribe validity at es.net, [email address]
        body: [leave blank]

        send in ascii text, no pgp or cert sigs and the rest is automatic.

Since these instructions often fail due to local fiddling
with email list management, if you have any problems please
forward them to postmaster at es.net as well as me.

We have focused on certain requirements - mainly, hiding infrastructure
such as complex PKI; and on protocols that are extensible, such
as XKMS and SCVP, but without thinking too much about what purposes
they would be extended.  I have been of the camp that thinks that
OCSP might be just good enough for the purposes we had in mind,
but as soon as people start thinking about evaluating levels of 
assurance or other policy details then I think that invalidates
that idea, and OCSP will be a component of some more sophisticated
service.

We have certainly not focused on details(*) of how the service
would be presented to the management and admin side of the
set of stakeholders, which is very important and the ideas here
are very useful - they also influence the requirements for the
service as a whole. [(*) except for some preliminary discussions about
managing proxy cert info].

One thing that happens when a lot of policy info becomes important
for evaluation is that fine structure probably appears in the service,
that is there are both universal qualities that need to be validated,
and purely local qualities.  That is individual trust domains will look
different from each other, potentially, so they either need their own
validation service or at least one that is customizable for them, and the
rules in each trust domain will be different and have different effects on the
grid users that appear there.   We can collapse away one side of this
if we have to, but do we have to - should we?

You should also be aware - probably you all are - that David Chadwick has
proposed some kind of cert validation service in the  ogsa-authz space.
I know just a little about this but I haven't  been able to take advantage
of the one moment when we were at the same space-time coordinates to 
talk with him about it.   It seems to be a much, much more ambitious
concept, and probably what we have in mind - certainly what I'm talking about -
has a much smaller scope.  However, once you start down the road of validating
policy and usage you are drifting into his territory.  Probably an XACML or
XACML-friendly service is what he has in mind.

I'd like to repost some of the recent messages about this to validity at es.net -
if anyone has any objection to that please let me know.

Regards, ==mwh

More information about the caops-wg mailing list