I wanted to talk about TAGPMA charter use of the word "develop"; I don't think I stated my case very well yesterday. I'm using an older draft & I know some changes are in the offing but I don't think they invalidate this comment. There is a gradual escalation in the meaning of "develop" from the beginning of the charter, from this (p2 or 3) It will be the mission of the TAGPMA to develop and maintain published information on the trustworthiness of its member authentication service providers. To this p5, 2.2 The TAGPMA will develop Authentication Service profiles that reflect our community's requirements. With a couple stops in between. (1) As a practical matter, I don't see how TAGPMA can do this kind of development in 2.2. Members or prospective members can develop, and bring these new ideas in, but TAGPMA isn't a supported project. Now, I think it might be a good idea for such efforts to be supported - is that what is intended for this PMA? Will be making a roadmap &c? (2) As a matter of trust management, do you want the developer to be the approver / accreditor too? I think you'd want to have a little more impartiality in the TAGPMA / review side of the relationship (imagine making the town building inspector and real estate developer the same person). I think the earlier language was better - "foster development" &c, and something migth be needed here to say how innovations get let in. Unless #1 above is really what is wanted here.
I wanted to talk more about TAGPMA charter use of the word "accredit" as well as "certify", and the related discussion yesterday. Maybe we're really talking about a branding scheme. I thought of accredit as being a heavyweight process, with certification as one of the components - I was involved in a couple of higher ed accreditation processes a long time ago & I think that's how they were structured. Dictionary use and net use seem synonymous. There seems to be ISO definitions of them for IT/info sec use (one is ISO 17799; you figure it out -- there's a freebie here: http://iso-17799.safemode.org). Accreditation is the process, and certification is the signed statement that results (my drastic paraphrase). Another paraphrase would be that accreditation grants the entity the authority to do something, and the certification is a formal written statement to that effect, with lifetimes, and perhaps other attributes. In other domains, an effort is made to distinguish between approval and capability, and accreditation is focused more on measures of quality and conformance to standards rather than authority to operate. I think this is closer to what we do in fact. The document that David Groep mentioned (& wrote?) is here: http://www.eugridpma.org/guidelines/EUGridPMA-accreditation-20040402-1-0.pdf This does describe a process, which is more or less submission - initial doc review - personal appearance and "defense" - final edit - enrollment There's no formal certification, unless publishing in the directory counts. In a bridge scenario the cross-certificate would be one kind of certification. I tried to find the OSG letter to the PMA's, I had to settle on one of the drafts due to lack of time. In part, it says 1) We request that you utilize or develop accepted standard accreditation profiles sufficient to assure approximate parity in CAs operating to that profile. We ask that each of you perform peer reviews on CAs within your region to categorize CAs by profile. Maybe we'd be better served here by talking about branding in the same context. For a long time, the EDG was the gold standard for Grid CA's. That was the only "brand" that mattered. It is still strong, but things are more complicated now. We also have relying parties, grid coalitions or whatever, like OSG, Teragrid, that want some kind of accreditation (that is they want to outsource as much of the work of CA approval as possible). Let's stick with the generally accepted meanings of certify and accredit. Any discussion about process uses them synonymously, and certification is some kind of publication step at the conclusion of the accreditation process (perhaps optional). It seems like there are 2 things that can be "accredited": providers, like CA's, and profiles. The latter seems more like a standard of some sort to me. Perhaps these should be managed by a standards body like GGF. Regional PMA's could chose which ones it could accredit providers agains, based on needs and expertise, and perhaps support others. Perhaps there should also be some kind of null profile and or experimental profile for providers falling outside the published profiles. There are 3 kinds of branding that could be done. One is locally approved that is CA X is TAGPMA - classic pki profile accredited One is IGTF approved that is CA X is IGTF - classic pki profile accredited and one is relying party approved that is CA X is Teragrid classic pki profile accredited The 2nd is what we are doing. But this seems unwieldy since there may be a questions raised by a certification done by some regional body outside its territory (ie what value did it add). I think emphasizing up the "IGTF" brand is better than building up the regional. The relying party brand is stronger, since these are recognized entities, but they have their limits. ALso, we don't want to just be their slaves; this has unintended consequences when different consortia have colliding requirements. On the other hand, EDG - approved sure was important. The EDG/EUgridpma min req profile, the one we call classic, is clearly one that could be an IGTF branded, since all the regional PMAs are committed to this profile and there are many instances. I don't think the IGTF brand and certainly not the TAGPMA brand are strong enough on their own yet. Maybe it is appropriate for the time being to take up the job of being evaluators for significant Grid projects, and working out a set of guidelines to apply in evaluating CA's. For example, OSG might say that it would accept any profile, but the following 5 things must be true {....}; in return, it would allow TAGPMA to say a CA was "OSG accredited", if TAGPMA's accreditation process indicated that these things were true about an applying CA. TAGPMA might apply its own branding by saying that any of {LCG accredited, OSG accredited, NFC accredited ...} constituted TAGPMA accreditation. For ITGF branding to work, the process for each regional would have to be somewhat normalized or accredited also. So for example "ITGF classic PKI" might require that the EUGridPMA accreditation process above be adopted. It might also be useful to make this an open process that is representatives from one regional might help various steps in another regional's accreditation process. Document review particularly is something that can be done anywhere in the world at any time. Conclusion: accredit = certify; an actual "certification" step might be useful; make the profiles a standards body product; build brands like IGTF; normalize process steps to build that brand; rely on big grid branding to build up regional brand, but don't get shackled to a particular project
participants (1)
-
Mike Helm