[caops-wg] New version GridCertProfile (0.23) with Public Comments addressed
David Groep
davidg at nikhef.nl
Wed Oct 17 12:45:07 CDT 2007
Dear all,
I've gone through the public comments and the results from our group
discussion yesterday, and generated a new version of the GridCertProfile
document (0.23) with virtually all of the changes incorporated. The list
of changes is below, and the attached PDF document highlights the changes.
The one open issue concerns re-testing Internet Explorer 7 with respect
to the root-cert-import behaviour. In order to make a consistent document,
I've now just stated "tested in versions up to and including v6".
New versions are now on GridForge (doc and pdf), with a summary of
all changes below. The slides used for the presentation are also
on GridForge, in the CAOPS-WG document area -> Meeting Materials -> OGF21.
One last question to Vivek Kaushik (or Yoshio): is there a public URL
for the basicConstraints white paper? I've now put in a reference to
the public comments ([Netrust2007]), but having a better URL would
be nice (as we agreed to reference this excellent document in its entirety)
Best,
DavidG.
Click Here Now:
https://forge.gridforum.org/sf/go/projects.caops-wg/docman.root.working_drafts
Comments addressed
------------------
Vladimir Dimitrov: we're sorry, but already changed the structure of
the document twice (first converting all footnotes to in-line text,
then realizing that it became unreadable, and converting everything
to footnotes again :-)
The group felt that leaving them out would devalue the document, but
at the same time its not normative enough to warrant bing in the main
text body.
So, although there are a lot of them, we agreed to keep the footnotes.
Yoshio Tanaka and Vivek Kaushik:
The group realized the complexity of the issue and highly appreciates
the white paper. We dropped the "MUST" to a "SHOULD" in 2.4.1, and
added a summary of the white paper as a footnote. Since the white paper
contains a lot of very valuable text, we agreed to just reference the
entire paper. A better reference URL would be nice, though.
Thanks for this in-depth analysis!
Reimer:
Updated the text in 3.3.2, making dataEncipherment a MUST, and adding
a footnote with Reimer's analysis
Paschalis:
The new footnote text starts of with: "In case the country (C) is
used as part of the varying part of the subject distinguished name
(i.e., it is not part of the constant DN prefix that defines the
issuing name space), the ..."
ChristosT:
In 3.3.8 added "It MUST return the CRL in DER encoded form".
BobCowles:
The testing of IE7 is not yet done, but I've qualified all mention
of browsers with either a testing date ("Spring 2007"), or a
version number ("up to and including version 6").
We can update than once IE7 has been tested.
Blair:
Section 2.2 now reads:
"... The current most secure hash function that is supported by the
entire target audience of the CA SHOULD be used, but at least SHA-1
or better MUST be used {footnote: Note that modern hashes, such as
SHA-256, are not supported by the majority of OpenSSL versions in
use, so SHA1 is the only available value as of time of writing.}"
On non-repudation (3.3.2):
"It SHOULD NOT be set in other end-entity certificates either, as
the claims made by this keyUsage are ill-defined or non-verifiable,
and its interpretation by clients unclear. If it is set regardless,
its assertion in personal end-entity certificates SHOULD be
limited to special purposes. "
In 4.2 on ECC signatures:
"... As other digital signature and key exchange algorithms are
introduced, such as elliptic curve mechanisms, their use should be
considered for new certificates provided the entire target
audience is capable of dealing with such mechanisms {footnote: As of
time of writing, only RSA algorithms are sufficiently supported in
clients. It is thus NOT advisable to select non-RSA algorithms.}."
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CompareResult-22-23.pdf
Type: application/pdf
Size: 115731 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20071017/c1d7eb38/attachment-0001.pdf
More information about the caops-wg
mailing list