[caops-wg] New version GridCertProfile (0.23) with Public Comments addressed

David Groep davidg at nikhef.nl
Wed Oct 17 12:45:07 CDT 2007 

Dear all,

I've gone through the public comments and the results from our group
discussion yesterday, and generated a new version of the GridCertProfile
document (0.23) with virtually all of the changes incorporated. The list
of changes is below, and the attached PDF document highlights the changes.

The one open issue concerns re-testing Internet Explorer 7 with respect
to the root-cert-import behaviour. In order to make a consistent document,
I've now just stated "tested in versions up to and including v6".

New versions are now on GridForge (doc and pdf), with a summary of
all changes below. The slides used for the presentation are also
on GridForge, in the CAOPS-WG document area -> Meeting Materials -> OGF21.

One last question to Vivek Kaushik (or Yoshio): is there a public URL
for the basicConstraints white paper? I've now put in a reference to
the public comments ([Netrust2007]), but having a better URL would
be nice (as we agreed to reference this excellent document in its entirety)

	Best,
	DavidG.

Click Here Now:
  https://forge.gridforum.org/sf/go/projects.caops-wg/docman.root.working_drafts


Comments addressed
------------------

Vladimir Dimitrov: we're sorry, but already changed the structure of
  the document twice (first converting all footnotes to in-line text,
  then realizing that it became unreadable, and converting everything
  to footnotes again :-)
  The group felt that leaving them out would devalue the document, but
  at the same time its not normative enough to warrant bing in the main
  text body.
  So, although there are a lot of them, we agreed to keep the footnotes.

Yoshio Tanaka and Vivek Kaushik:
  The group realized the complexity of the issue and highly appreciates
  the white paper. We dropped the "MUST" to a "SHOULD" in 2.4.1, and
  added a summary of the white paper as a footnote. Since the white paper
  contains a lot of very valuable text, we agreed to just reference the
  entire paper. A better reference URL would be nice, though.
  Thanks for this in-depth analysis!

Reimer:
  Updated the text in 3.3.2, making dataEncipherment a MUST, and adding
  a footnote with Reimer's analysis

Paschalis:
  The new footnote text starts of with: "In case the country (C) is
  used as part of the varying part of the subject distinguished name
  (i.e., it is not part of the constant DN prefix that defines the
  issuing name space), the ..."

ChristosT:
  In 3.3.8 added "It MUST return the CRL in DER encoded form".

BobCowles:
  The testing of IE7 is not yet done, but I've qualified all mention
  of browsers with either a testing date ("Spring 2007"), or a
  version number ("up to and including version 6").
  We can update than once IE7 has been tested.

Blair:
  Section 2.2 now reads:
  "... The current most secure hash function that is supported by the
  entire target audience of the CA SHOULD be used, but at least SHA-1
  or better MUST be used {footnote: Note that modern hashes, such as
  SHA-256, are not supported by the majority of OpenSSL versions in
  use, so SHA1 is the only available value as of time of writing.}"

  On non-repudation (3.3.2):
  "It SHOULD NOT be set in other end-entity certificates either, as
  the claims made by this keyUsage are ill-defined or non-verifiable,
  and its interpretation by clients unclear. If it is set regardless,
  its assertion in personal end-entity certificates SHOULD be
  limited to special purposes. "

  In 4.2 on ECC signatures:
  "... As other digital signature and key exchange algorithms are
  introduced, such as elliptic curve mechanisms, their use should be
  considered for new certificates provided the entire target
  audience is capable of dealing with such mechanisms {footnote: As of
  time of writing, only RSA algorithms are sufficiently supported in
  clients. It is thus NOT advisable to select non-RSA algorithms.}."



-- 
David Groep

** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CompareResult-22-23.pdf
Type: application/pdf
Size: 115731 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20071017/c1d7eb38/attachment-0001.pdf

More information about the caops-wg mailing list