New version of the OCSP document.
Dear all, In the minutes of the last CAOPS meeting it was mentioned that a new version of the OCSP document should be done, including changes with respect to the Proxy Certificates, grammar and even some re-order in a couple of sections. However I missed the point about who is/will do this. ;) We (Oscar and me) do not have any inconvenient into working such new version, but if that is the case please let us know so avoid duplicated work (someone else is working also in this?). Best regards and have a nice week! Jesus Luna
I haven't gotten much in the way of guidance and feedback, except what Olle Mulmo wrote last month, which I interpreted as fairly negative. I think you should edit it if the spirit moves you - the next GGF is very soon.
We (Oscar and me) do not have any inconvenient into working such new version, but if that is the case please let us know so avoid duplicated work (someone else is working also in this?).
Mike & all, We will try to send you the new version of the document early next week and -just to be in sync- you will find attached to this email the latest version in the usual formats: DOC with Changes highlighted and PDF only with comments. As far as I remember, from the GGF16 meeting the following changes must be applied: -Proxy Cert Revocation: remove it from the document. We should wait to achieve more experience in such topic. -Cautionary Period: someone mentioned to check if this section should be moved to some other part of the document. And the pending tasks from Mike's slides presented there: -Add explanation of OCSP multi-cert evaluation to section 3 -Look at beginning – may need slight wording changes in Abstract & Intro? As for the readability/sanity pass I'd like to ask for the help of english speakers CAOPSers... ;) Also it should be a good point to put a deadline on the document, otherwise it's very likely that it will be around here for quite a time... Write you soon and if you have any additional comment please let us know to incorporate it in next week's version, Regards, Oscar & Jesus PS: By the way...document's last version in the CAOPS web page is pretty old...could someone update it please? Mike Helm wrote:
I haven't gotten much in the way of guidance and feedback, except what Olle Mulmo wrote last month, which I interpreted as fairly negative. I think you should edit it if the spirit moves you - the next GGF is very soon.
We (Oscar and me) do not have any inconvenient into working such new version, but if that is the case please let us know so avoid duplicated work (someone else is working also in this?).
-- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> o o o Jesus Luna Garcia | Polytechnic University of Catalonia o o o PhD Student | Department of Computer Architecture o o o phone: +34 93 401 7187 | Campus Nord. www.ac.upc.es U P C fax: +34 93 401 7055 | C/Jordi Girona 1-3, Modul D6-116 E-mail: jluna@ac.upc.es | Barcelona 08034 SPAIN <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
Dear all, We attach the last review of the document in the usual formats. .doc with track changes and .pdf with all the changes being accepted. A summary of introduced changes can be found at the end of the document. We would like to remind Milan to introduce his contact data. Oscar and Jesus
Hi. You can find my comments in the attachment of this (not very timely ;( ) response. Here are some notes which I didn't fit into the text: Throughout the document: I'd rather skip all referencing to "blacklisting". It is being used here in a pure authorization meaning - denying somebody access to a resource. I don't think authorization decisions should be handled by invalidating the result of authentication. ==== 5.5 Responder Discovery ---------------------- - I'm not sure I understand the section properly. "Any OCSP server acting as Clearinghouse or Trusted Responder MUST be contacted first." - Why? 6.3. Revocation Information Sources ----------------------------------- "blacklist" again 8.2.1 Delta CRLs ---------------- - I don't seem to see the point here. Let me try to express my reading of the section: "One of the problems with current Grid CAs' full CRLs is their long expected lifetime, i. e. the nextUpdate pointing to at least 7 days in the future. This behavior is motivated by the software used by Grids (OpenSSL) and by the potential network problems. However, this usage of nextUpdate takes out the possibility of expressing the CRL issuance frequency in the CRL itself (some CAs issue them several times a day but the the only place to find out the frequency is their CP/CPS). The Delta CRLs are proposed to solve the problem - their nextUpdate would reflect the actual CRL issuance frequency so that the OCSP responder feed with them could provide the more appropriate value for the nextUpdate in the response." Am I reading the section right? If I am, doesn't that effectively mean that there would be a new delta CRL issued with every full one (or at least with every full CRL containing no new revocation records)? 9.1 OCSP Service Architecture ----------------------------- What are the "OCSP High Level Responders"? OCSP Client Configuration Examples ---------------------------------- The actual example is missing. Regards -- Milan Sova sova@cesnet.cz
Dear Milan, Please find below our responses about your comments contained into the DOC file. In another post we'll try to comment the rest of your email. Best regards and enjoy Tokio! Oscar & Jesus ***Pag 4, line 28: MS1: I'd rather not deal with authorization in an OCPS resquirements document. JLG: OK we should clearly separate OCSP and AuthZ, however let's tell the readers that OCSP may be used as a Validation mechanism able to deny access to users (blacklisting through invalidation) prior to let them into the Authz process itself. ***Pag 5, line 28: MS3: IMO there's a significant terminological difference between a "relying party" (any party relying on the PKI) and an "OCPS client" (software used by some relying parties to get some information) JLG: Maybe the definition for both terms should be provided in an introductory manner, but we may be able to specify that "Relying Party" will be used instead through the document. ***Pag 5, line 32: MS4: DO we need this sentence? That's the same meanign of "issuer" as everywhere and always... JLG: I'm not getting your point here, are you saying to use "issuer" instead of "appropiate OCSP Responder"? ***Page 6, line 32: MS6: Can we reach this goal in the near future? I think some transition period with CRL-only clients JLG: Agree with you, however I don't know where in the document such period should be proposed. Anyone in the list with experience from previous GGF recommendations managing with the introduction of new mechanisms/protocols? Maybe if in that paragraph we change the MUST for a SHOULD? However let's note that section 4 applies to OCSP and its use in relying parties; most of the features explained in this section can't be applied to CRLs because they just weren't intended to. ***Pag 7, line 32: MS7: I'd preferably skip the certificate suspension discussion (the previous three paragraphs). Let's define the usage of OCSP within our current environment and take care of the modification of the environment separately. JLG: I see two points here: in first place and as an analogy with the Proxy revocation topic, we could ommit any comments about the certificateHold status until more practical experience is achieved. On the other hand, it may be useful to warn CAs about the potential implications of setting such status for "temporally" revoked certificates because in our experience sometimes it is used indiscriminately. What do you think?
I think it is a mistake to equate "relying party" with "client". These are two different concepts, and the first term is relatively poorly understood among computer professionals (or at least unfamiliar to many of them), while the 2nd isn't. Anyway, back to the difference. A relying party relies - it acts on some assertion. A client consumes - it just takes the stuff it gets from the big producer (the server). There are times when we are clearly talking about an OCSP info consumer and not talking about the decision that the underlying system will make based on that OCSP info. Also, it is somewhat inappropriate to describe the OCSP client as the relying party, since the RP can chose to ignore the information if it needs to, based on some other criteria.
Hello again Milan, Please find below some other comments to your previous email, sorry for the late response and hope the CAOPS Meeting@Tokio was OK! Best regards, Oscar & Jesus
Throughout the document: I'd rather skip all referencing to "blacklisting". It is being used here in a pure authorization meaning - denying somebody access to a resource. I don't think authorization decisions should be handled by invalidating the result of authentication.
JLG: Let me cite here a previous email exchanged with David Chadwick a few months ago, precisely about blacklist-like mechanisms and OCSP: "Of course. CRLs, revocation, OCSP are all black list mechanisms. The alternative is to have white lists and to ask the issuer if a cert is on its white list or not. But this is a different type of validation to the one that I am talking about with the CVS. It is only an initial important first step in validation."
5.5 Responder Discovery ---------------------- - I'm not sure I understand the section properly. "Any OCSP server acting as Clearinghouse or Trusted Responder MUST be contacted first." - Why?
JLG: Clearinghouses & Trusted Responders sign OCSP Responses with a private key issued by an authority in which the relying parties implicitly trust (ie IGTF). Compare versus Authorized Responders signing OCSP Responses with a private key in which relying parties must trust explicitly.
6.3. Revocation Information Sources ----------------------------------- "blacklist" again
JLG: Pls refer to first response and previous email.
8.2.1 Delta CRLs ---------------- - I don't seem to see the point here. Let me try to express my reading of the section:
"One of the problems with current Grid CAs' full CRLs is their long expected lifetime, i. e. the nextUpdate pointing to at least 7 days in the future. This behavior is motivated by the software used by Grids (OpenSSL) and by the potential network problems. However, this usage of nextUpdate takes out the possibility of expressing the CRL issuance frequency in the CRL itself (some CAs issue them several times a day but the the only place to find out the frequency is their CP/CPS). The Delta CRLs are proposed to solve the problem - their nextUpdate would reflect the actual CRL issuance frequency so that the OCSP responder feed with them could provide the more appropriate value for the nextUpdate in the response."
Am I reading the section right?
If I am, doesn't that effectively mean that there would be a new delta CRL issued with every full one (or at least with every full CRL containing no new revocation records)?
OM: Milan, your summary of the section is correct. However, your conclusion is not. When a full CRL is issued, there are no deltaCRLs to issue because such D DeltaCRLs always refer to the full CRL that was issued last. In any case, I don't see what is the point you want to make. Do you propose rephrasing the section?
9.1 OCSP Service Architecture ----------------------------- What are the "OCSP High Level Responders"?
JLG: Please find explanation in section 7.1.3 adcording to the Relying Party's point of view.
OCSP Client Configuration Examples ---------------------------------- The actual example is missing.
JLG: Appendix B.1, page 21?
Hi Here are some minor changes you may want to consider making in the document. All the best Matt Abstract ...or otherwise invalid certificates from *being used*. ...OCSP services must be discoverable, fault tolerant and *have* low latency. 2. Introduction ...for relying parties to perform revocation *checks on* certificates... 3. Practical Considerations and Expectations ...presents a *scalability* problem... 3.1 Certificate Revocation Lists ...somewhat like *a trusted* responder)... 7.1.2 OCSP Clearing house In order for such a service to be *trustworthy*... 9 Other Considerations (I feel the first sentence is rather clunky - perhaps something like the following is better) While OCSP as a technology has been around for several years, *it has yet to make a significant impact to the Grid community.* On Wed, 2006-03-22 at 18:11 +0100, Oscar Manso wrote:
Dear all, We attach the last review of the document in the usual formats. .doc with track changes and .pdf with all the changes being accepted. A summary of introduced changes can be found at the end of the document. We would like to remind Milan to introduce his contact data.
Oscar and Jesus
-- Matthew Viljoen CCLRC e-Science Centre Rutherford Appleton Laboratory Tel: +44 (0) 1235 778144 E-mail: m.j.viljoen@rl.ac.uk Web: http://www.e-science.clrc.ac.uk/web/staff/matthew_viljoen
...or otherwise invalid certificates from *being used*. from use reads ok to me - maybe it's not recognized as standard in the UK?
...OCSP services must be discoverable, fault tolerant and *have* low latency.
don't care, but why not "have fault tolerance" too?
3. Practical Considerations and Expectations ...presents a *scalability* problem...
3.1 Certificate Revocation Lists ...somewhat like *a trusted* responder)... No, this changes the sense, what was meant should perhaps have been
7.1.2 OCSP Clearing house In order for such a service to be *trustworthy*...
Ok, but scalability seems to me like a concept applied to a particular service and scaling applied to a problem or a system as a whole. So we need a scalable solution to a scaling problem. Maybe that's idiosyncratic usage, sorry if so. put in quotes then, like a "Trusted Responder (see below)" trustable or trusted reads better to me; "trustworthy by" doesn't seem right.
9 Other Considerations (I feel the first sentence is rather clunky - perhaps something like the following is better) While OCSP as a technology has been around for several years, *it has yet to make a significant impact to the Grid community.*
This sentence implies the wrong relationship between OCSP & Grids. It suggests that there is something wrong w/ OCSP that has kept it "from use" in Grids. That may be, but is yet to be shown. The existing sentence may be phrased better somehow ("if used are not..." is better verb agreement) but reflects the sense of the relationship between Grids & OCSP better.
participants (6)
-
Jesus Luna
-
jluna@ac.upc.edu
-
Mike Helm
-
Milan Sova
-
Oscar Manso
-
Viljoen, MJ (Matthew)