Sorry, I mistakenly replied only to Alan, but I meant to reply to the list. -------- Forwarded Message -------- Hi Alan, On 08/09/14 15:25, Sill, Alan wrote:

...

On Sep 8, 2014, at 2:13 PM, Paul Millar <paul.millar@desy.de> wrote: 1. create a registry where people can add CA bundle along with some canonical name,

This type of registry, if created, would be meaningless without secure links to the CA bundles and an accompanying description of policy for each. This in fact is what the IGTF provides for each of its published bundles.

I'm not sure what you mean by "meaningless", but certainly the registry entry for some CA-bundle should allow a user to navigate to the list of certificates and a description of the bundle's policy. (Be aware that this is not a security-related issue: the published information only provides a hint whether or not a client's X.509 certificate is from a CA the server trusts.)

TACAR maintains a list of individual CAs along with secure links to download their individual CA trust anchor files, but only for a subset of academic CAs.

I suggest generic language that refers to both as examples.

My point is that we shouldn't include these kinds of examples; they're point to a problem in the GLUE document that can be fixed for GLUE 2.1 The problem is that we (the people writing GLUE 2.x documents) might know what "IGTF-SLCS" should mean but unless it's written down we risk: a. someone will use an incompatible value to refer to the same thing ("igtf slcs", "urn:ogf:glue:ca-bundles:igtf:slcs", ...) b. someone won't understand what "IGTF-SLCS" means. HTH, Paul.