I will come back to this material in a little different way later, but I wanted to address these points: Jesus Luna writes:
About this topic we would like to comment that -in analogy to non Grid PKIs- revocation of a N-level Proxy Certificate should only be performed by its Issuer (N-1 level entity, does not matter if it is an EEC or another Proxy) *and* by any other entity up to the Root CA itself (that is hierarchy levels N-2...0). When a certificate is revoked, then their issued certificates (again does not matter if EEC or Proxies) should be considered revoked.
In DOEGrids ... I am not sure about every other IGTF PKI however ... end entity certificates can revoke themselves. It's often done. For instance, when a security issue arose at one site, several customers revoked their own certificates until local problems were cleared up. Why wouldn't we permit this idea to be extended to proxy certs? That is, why shouldn't a proxy cert be permitted to revoke itself? What conditions would speak against that?
The "one-request" mechanism proposed in OGRO (embedding the whole Proxy Cert Path in one OCSP Request ) could manage this proposal with some modifications, because when the OCSP Response is received then it could invalidate the Cert Path just below the certificate whose status is not "Good". We have been exploring also the "direct Proxy revocation" method: when a Proxy is destroyed or revoked for any other reason then an "administrative" message is sent to the OCSP Service so the revocation is done directly in its certificate status database. The authorization checking on such admin message is based on a very simple system that verifies if the issuer (message originator) is able to revoke such credential (i.e. is part of the Certificate Path and can be found in any level above the Certificate being revocated).This should be customizable by the relying party, i.e. in a new rule of the Grid Validation Policy. Based on this, we don't think encoding the AIA into the Proxy
Let's try to work thru some use cases. This is surely an attractive idea but I am not sure we can deal with all the corner cases. More on this in another message (perhaps not directly tho).