Dear all, I've gone through the public comments and the results from our group discussion yesterday, and generated a new version of the GridCertProfile document (0.23) with virtually all of the changes incorporated. The list of changes is below, and the attached PDF document highlights the changes. The one open issue concerns re-testing Internet Explorer 7 with respect to the root-cert-import behaviour. In order to make a consistent document, I've now just stated "tested in versions up to and including v6". New versions are now on GridForge (doc and pdf), with a summary of all changes below. The slides used for the presentation are also on GridForge, in the CAOPS-WG document area -> Meeting Materials -> OGF21. One last question to Vivek Kaushik (or Yoshio): is there a public URL for the basicConstraints white paper? I've now put in a reference to the public comments ([Netrust2007]), but having a better URL would be nice (as we agreed to reference this excellent document in its entirety) Best, DavidG. Click Here Now: https://forge.gridforum.org/sf/go/projects.caops-wg/docman.root.working_draf... Comments addressed ------------------ Vladimir Dimitrov: we're sorry, but already changed the structure of the document twice (first converting all footnotes to in-line text, then realizing that it became unreadable, and converting everything to footnotes again :-) The group felt that leaving them out would devalue the document, but at the same time its not normative enough to warrant bing in the main text body. So, although there are a lot of them, we agreed to keep the footnotes. Yoshio Tanaka and Vivek Kaushik: The group realized the complexity of the issue and highly appreciates the white paper. We dropped the "MUST" to a "SHOULD" in 2.4.1, and added a summary of the white paper as a footnote. Since the white paper contains a lot of very valuable text, we agreed to just reference the entire paper. A better reference URL would be nice, though. Thanks for this in-depth analysis! Reimer: Updated the text in 3.3.2, making dataEncipherment a MUST, and adding a footnote with Reimer's analysis Paschalis: The new footnote text starts of with: "In case the country (C) is used as part of the varying part of the subject distinguished name (i.e., it is not part of the constant DN prefix that defines the issuing name space), the ..." ChristosT: In 3.3.8 added "It MUST return the CRL in DER encoded form". BobCowles: The testing of IE7 is not yet done, but I've qualified all mention of browsers with either a testing date ("Spring 2007"), or a version number ("up to and including version 6"). We can update than once IE7 has been tested. Blair: Section 2.2 now reads: "... The current most secure hash function that is supported by the entire target audience of the CA SHOULD be used, but at least SHA-1 or better MUST be used {footnote: Note that modern hashes, such as SHA-256, are not supported by the majority of OpenSSL versions in use, so SHA1 is the only available value as of time of writing.}" On non-repudation (3.3.2): "It SHOULD NOT be set in other end-entity certificates either, as the claims made by this keyUsage are ill-defined or non-verifiable, and its interpretation by clients unclear. If it is set regardless, its assertion in personal end-entity certificates SHOULD be limited to special purposes. " In 4.2 on ECC signatures: "... As other digital signature and key exchange algorithms are introduced, such as elliptic curve mechanisms, their use should be considered for new certificates provided the entire target audience is capable of dealing with such mechanisms {footnote: As of time of writing, only RSA algorithms are sufficiently supported in clients. It is thus NOT advisable to select non-RSA algorithms.}." -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **