Hi All, Sorry for the late response, but last week we were not in Barcelona. Comments to the last email are shown below in the original text and a DOCument with such changes is being attached. Regards, Oscar & Jesus Milan Sova wrote:
-- I've removed several occurrences of "suspend" and "suspended" basicly in contexts like "revoked and suspended". IMO suspension is just a special case of revocation.
Agree with you as Note 3 in page 5 already makes clear such difference and no additional remarks are then neccesary.
-- Section 2, p.2 removed redundant "or invalidated" from "revoked or invalidated" in
OK
-- corrected spelling of "openssl" to "OpenSSL" throughout the document
OK
-- removed (mostly my) comments from the document
OK
-- Section 3, p.3: Removed point about "establishing of authorized OCSP responders between Grid CAs" being the way to achieve interoperability and "trust relationships among Grid PKIs" - it didn't make much sense to me
We have changed a little bit the original text as the spirit of such note is to make clear that a VO may integrate more than one CA an thus OCSP Authorized Responders are necesary.
-- Section 3, p.3: Removed point making requirements on the OCSP service provider - I think it belongs into "Requirements" section.
To which point are you referring? We are kind of confused about it :)
-- Section 5.4, p.5: crosslink to Section 4 removed "Another Responder discovery solution consist of configuring a Global OCSP Redirector per domain in charge of redirecting the relying party's OCSP request according to specified parameters (i.e. OCSP load, network traffic, availability, etc.)." - it is just a special case of a local trusted responder.
Also we have inserted a crosslink to 6.5 where the Global OCSP Redirector is first mentioned (to avoid redundance).
-- Section 5.7 "Revoked with status Suspended or OnHold" -> "...with revocationReason certificateHold..."
OK
-- Section 6.2 Crosslink to Section 4
OK
-- Section 6.6 reverted the section back to Olle's version. The modified version did not make much sense to me
We have inserted a crosslink to 6.3 as a way to possibly use DeltaCRLs (Push Operation Mode) for managing Proxy Certificate Revocation. Even though we agree that such topic shall remain outside the scope of the document.
-- Section 10 is empty - I didn't succeed to persuade my OpenOffice to get rid of it ;(
We believe that what happen is that when opening the document with Microsoft Word the section numbers are rearranged so that section 10 shows the following text (that we consider to be correct): "According to our experience some Grid´s Relying Parties may need to define OCSP policies related to OCSP behavior as explained in this document. Such policies may include rules for dealing with OCSP Request and Responses (i.e. required signatures, required extensions, preferred OCSP responders, validation of OCSP Response freshness, responses caching, etc.) and can be parsed just once at initialization time (i.e. Proxy creation). Finally, service providers implementing OCSP architectures based on Grid Services features like discovery and notification should also be considered as they may bring interesting advantages to this field." .
-- Section 11 I'm not sure whether the statement of OCSP policies and Grid Services fits inot the document spirit...
We agree in deleting reference to Grid Services at this moment. However OCSP Policies proposal have the objective of "customizing" the behaviour of OCSP services in a Grid environment by defining several of the parameters mentioned in the document. At this time we are working in a prototype to show such convenience so when it is ready we may be able to send you the related information.
-- Section 14 replaced the Authorized Responder definition by a citation form RFC2560 - are we really going to have a Definitions section? If so, it would probably look better if we include some more of them ;)
On a second thought this section can be deleted as the only definition was already mentioned in sections 4 and 8.1 Taking a closer look to the document we could not find another term suitable to fit as a "definition", however is someone else has a proposal it may be the time to talk about it.
Regards
By the way, we have a couple of additional questions more or less related with such document: -On the GGF 14, is the CAOPS-WG planning to present some kind of talk or meeting about this document? We may have read something about if in the minutes from GGF 13, but were not sure... -We are about to finish some testing of the integration of our OCSP classes into the Jglobus libraries, so we may use them into the GT4 Java Core and Proxy Init routines. Do you know any existing Grid benchmarks/loadtest environments/simulators that can be used to perform such testings? Any suggestions? -- ____________________ Jesus Luna Garcia PhD Student. Polytechnic University of Catalonia Barcelona, Spain jluna@ac.upc.edu