"Jensen, J \(Jens\)" writes:
I think we need an IGTF working group on this. We need to get requirements from the RPs as well. At the TAGPMA meeting,
Some of us have been thinking about this for quite a while - we have a mailing list for it, validity@es.net, and if you want to bring some of your ideas to it that would be very welcome. email to: listserver@listmin.es.net subject: subscribe validity@es.net, [email address] body: [leave blank] send in ascii text, no pgp or cert sigs and the rest is automatic. Since these instructions often fail due to local fiddling with email list management, if you have any problems please forward them to postmaster@es.net as well as me. We have focused on certain requirements - mainly, hiding infrastructure such as complex PKI; and on protocols that are extensible, such as XKMS and SCVP, but without thinking too much about what purposes they would be extended. I have been of the camp that thinks that OCSP might be just good enough for the purposes we had in mind, but as soon as people start thinking about evaluating levels of assurance or other policy details then I think that invalidates that idea, and OCSP will be a component of some more sophisticated service. We have certainly not focused on details(*) of how the service would be presented to the management and admin side of the set of stakeholders, which is very important and the ideas here are very useful - they also influence the requirements for the service as a whole. [(*) except for some preliminary discussions about managing proxy cert info]. One thing that happens when a lot of policy info becomes important for evaluation is that fine structure probably appears in the service, that is there are both universal qualities that need to be validated, and purely local qualities. That is individual trust domains will look different from each other, potentially, so they either need their own validation service or at least one that is customizable for them, and the rules in each trust domain will be different and have different effects on the grid users that appear there. We can collapse away one side of this if we have to, but do we have to - should we? You should also be aware - probably you all are - that David Chadwick has proposed some kind of cert validation service in the ogsa-authz space. I know just a little about this but I haven't been able to take advantage of the one moment when we were at the same space-time coordinates to talk with him about it. It seems to be a much, much more ambitious concept, and probably what we have in mind - certainly what I'm talking about - has a much smaller scope. However, once you start down the road of validating policy and usage you are drifting into his territory. Probably an XACML or XACML-friendly service is what he has in mind. I'd like to repost some of the recent messages about this to validity@es.net - if anyone has any objection to that please let me know. Regards, ==mwh