Dear folks in the OGF CAOPS, VOMS-PROC and NSI working groups.

I'd like to initiate some discussion among the participants in these working groups for the use case referred to in the talk at the link below. 

Some review of the conditions for this use case would be helpful. Note this is also a use case that comes up in Internet-of-Things discussions, and has caused some discussion on the PKIX group list (though that group is now dormant of course) and other related lists lately.

To me this is a familiar situation with well-known parameters, but possibly some additional considerations, and might possibly lead to some useful communication among the members in these groups about solutions that could be applied using existing technologies that would avoid the possible downsides associated with the proposed use of self-signed certificates. (For example, extended attribute certificates as used in VOMS, though the same or perhaps through a different implementation, might be a good solution here; other solutions might be contemplated that would be more attractive than self-signed certificates for this situation.)

Your comments, discussion and input are recruited (by me -- I'm not speaking for the NIS-WG members per se!), and I hope that all parties will regard this as useful discussion for information exchange only.

Thanks,
Alan

Begin forwarded message:

From: Guy Roberts <Guy.Roberts@dante.net>
Subject: RE: [Nsi-wg] Wednesday's NSI conf call
Date: July 30, 2014 at 1:30:19 PM GMT+2
To: Alan Sill <kilohoku150@gmail.com>

Hi Alan,
 
Please find the slides on NSI security here:
 
 
The proposal is that  NSAs will run their own private Certificate Authorities (self-signing) rather than using public Certificate Authorities.  Participating NSAs will then exchange information about  each other’s Certificates in an ad hoc way.
 
This solution does not scale well as private Certificates have to be manually shared, but it reduces the size of the certificate pool.
 
Guy
 
From: Alan Sill [mailto:kilohoku150@gmail.com] 
Sent: 30 July 2014 10:56
To: Guy Roberts
Cc: Alan Sill
Subject: Re: [Nsi-wg] Wednesday's NSI conf call
 
Guy,
 
On Jul 30, 2014, at 11:02 AM, Guy Roberts <Guy.Roberts@dante.net> wrote:

 

- comments/feedback from last week’s presentation from John on ‘Secure Communications with Self Signed Certificates’
 
Are copies of these slides available? I would like to understand the context.
 
(In general, use of self-signed certificates is risky at best, so I would like to understand the use case here.)
 
Alan