Sorry for the delay, but my afternoon filled up. The notes will be even sketchier as a result. Please fix & fill in as needed. OCSP call 30 Jan 06 8 AM PT Attendees: {?} Oscar, Jesus, mwh, Olle, R Cowles, A Sill - ? AI: Oscar & Jesus will provide some "cons" to Mike's recent suggestions Mike will incorporate recent suggestions, new text from O & L above, and update OCSP draft (+ add digest recommendations and some minor edits as time permits) for Mon 06 Feb (some additions "*" below) Olle will set up another call same time same system (~8AM PT Mon 06 Feb) Decisions: Focus on pros & cons of proxy cert revocation management; it is valuable to make general recommendations but recognize further work and changes will take place Don't develop any extra protocol or related specification for this at this time The general topic of cert validation is out of scope of this document Does anyone have text for the delegated proxy responder cert recommendation? Discussion: Q: is it necessary to revoke proxy certs Owners should revoke only? Gets messy from security pt of f view OCSP gets complicated about registry. * Will post recs/ objections [If I can paraphrase: Oscar & Jesus' point of view is that the user - the holder of the EE X.509 cert - is the real "agent" of proxy cert revocation, and focusing on this person is not too hard, he can be authorized to register & revoke his cert. But allowing the proxy certs to revoke other proxies, and relying parties to do so, this is hard. [Mike: One of the motivations for doing this doc, is that the relying parties want a way to control their environment, they want a tool to limit damage. The proxy cert is not really (or not just) an identity cert, it is developing authorization characteristics, and as such it seems to me at least that both the owner & the resource owner share "jurisdiction" over the proxy in use. [Yes this makes things very messy and we have to make sure the complexity is understood well enough to avoid specifying an unsupportable service.] Terena will disucss OCSP global service? Did Tony talk about at EUGridPMA Just talked about Validity service Stand up large scale ocsp responder? Should we do thru Terena? [Apparently TERENA will discuss this next week? Was there a decision or AI here, I don't remember] [The context here is that we seem to have a consensus that we need one or more large scale, well known OCSP responders to act as clearinghouses, gateways to other responders &c. Some discussion of how to do that/ fund it/ &c - really outside our scope, so:] * Recommend PMA's stand up / support OCSP large scale responder? Let's recommend to PMA; they can worry about practical details, funding, sponsoring Olle - Validation service is 1 level up O: David Groep's suggestion: delegate an OCSP usage as extended signing Management signing Include one more extension on the client side Creates authorized responder OCSP responder can deal with the cert as issued. [That is issue response under multiple certs] Not intended for today's proxy cert [I think I am beginning to understand this ; this was in the slide deck at last GGF (see link earlier message) and must have been mentioned at the previous one, altho I don't remember it. I think the core idea is to create a response from an "Authorized" (see doc) responder for a proxy cert, as opposed to the implied "Trusted" responder response. We should recommend that this capability be developed, but need text to explain it clearly.] [What are proxies? How are they used?] Limit vulnerability Constrained delegation Limited lifetime There are long-lived services - resource brokers O: punting on proxy certs & OCSP M: need it [This section is a return to earlier point, as more ppl got to the call] O: need white/black list Could be complement to OCSP The mess comes from proxy certs revoking proxy certs User could do it. Problem is in rules & how authorized to revoke proxy certificates Primarily it is up to users (Oscar & Jesus). How to move information around? Prepare recs, send Can meet Monday - same time. [Bob Cowles also raised a point ... paraphrase something to the effect of why do proxy revocation as opposed to some other kind of authorization * disabling or user blocking. I said something to the effect of, we can provide a more targeted response, not eliminating a user's ability to do work, just the bad work; particularly important in Grid resources with primitive or minimal authZ infrastructure. I'll check the doc for supporting text.]