Mike Helm writes:
Let me list some assumptions and characteristics of proxy certs, and related services (please correct and
Bob Cowles at the OSG Consortium security meeting today mentioned another possible OCSP - short term proxy cert configuration that I should make you aware of. The idea here is that proxy cert lifetime be extended longer and longer, perhaps becoming indistinguishable from short term certs or even long term certs. Then use a revocation mechanism like OCSP to kill them when absolutely necessary (more typically, drop authorization privileges, but as a practical matter it's not yet completely clear how that is to be done). I think that this case is or can be covered by the spectrum of OCSP scenarios we already have, but maybe Bob or others can look at the document and test it against their proposal. It also shades into some of the ideas that some of us have been discussing for a full fledged validation service, a topic we can take up elsewhere. Bob Cowles mentioned this to me recently (maybe Boston GGF) or at least some version of it but I don't know that either one of us mentioned it in this group before. Thanks, ==mwh Michael Helm ESnet/LBL