[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RV: [caops-wg] Re: Grid OCSP proposal

To: Milan Sova <sova@cesnet.cz>
Subject: Re: RV: [caops-wg] Re: Grid OCSP proposal
From: Jesus Luna <jluna@ac.upc.edu>
Date: Mon, 09 May 2005 19:37:07 +0200
Cc: Oscar Manso <o.manso@certiver.com>, caops-wg@ggf.org
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
Disposition-notification-to: Jesus Luna <jluna@ac.upc.edu>
In-reply-to: <42721E7A.40600@cesnet.cz>
References: <20050321104801.DFC1812B24@mailbouncer.mcs.anl.gov> <42721E7A.40600@cesnet.cz>
Sender: owner-caops-wg@ggf.org
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Hi All,
Sorry for the late response, but last week we were not in Barcelona. Comments to the last email are shown below in the original text and a DOCument with such changes is being attached.
Regards,
Oscar & Jesus

Milan Sova wrote:

-- I've removed several occurrences of "suspend" and "suspended" basicly
   in contexts like "revoked and suspended". IMO suspension is just a
   special case of revocation.

Agree with you as Note 3 in page 5 already makes clear such difference and no additional remarks are then neccesary.

-- Section 2, p.2
   removed redundant "or invalidated" from "revoked or invalidated" in

OK

-- corrected spelling of "openssl" to "OpenSSL" throughout the
   document

OK

-- removed (mostly my) comments from the document

OK

-- Section 3, p.3:
   Removed point about "establishing of authorized OCSP responders
   between Grid CAs" being the way to achieve interoperability and
   "trust relationships among Grid PKIs"
   - it didn't make much sense to me

We have changed a little bit the original text as the spirit of such note is to make clear that a VO may integrate more than one CA an thus OCSP Authorized Responders are necesary.

-- Section 3, p.3:
   Removed point making requirements on the OCSP service provider
   - I think it belongs into "Requirements" section.

To which point are you referring? We are kind of confused about it   :)

-- Section 5.4, p.5:
   crosslink to Section 4
   removed "Another Responder discovery solution consist of
   configuring a Global OCSP Redirector per domain in charge of
   redirecting the relying party's OCSP request according to specified
   parameters (i.e. OCSP load, network traffic, availability, etc.)."
   - it is just a special case of a local trusted responder.

Also we have inserted a crosslink to 6.5 where the Global OCSP Redirector is first mentioned (to avoid redundance).

-- Section 5.7
   "Revoked with status Suspended or OnHold"
      -> "...with revocationReason certificateHold..."

OK

-- Section 6.2
   Crosslink to Section 4

OK

-- Section 6.6
   reverted the section back to Olle's version. The modified version
   did not make much sense to me

We have inserted a crosslink to 6.3 as a way to possibly use DeltaCRLs (Push Operation Mode) for managing Proxy Certificate Revocation. Even though we agree that such topic shall remain outside the scope of the document.

-- Section 10
is empty - I didn't succeed to persuade my OpenOffice to get rid of it ;(

We believe that what happen is that when opening the document with Microsoft Word the section numbers are rearranged so that section 10 shows the following text (that we consider to be correct):

"According to our experience some Grid´s Relying Parties may need to define OCSP policies related to OCSP behavior as explained in this document. Such policies may include rules for dealing with OCSP Request and Responses (i.e. required signatures, required extensions, preferred OCSP responders, validation of OCSP Response freshness, responses caching, etc.) and can be parsed just once at initialization time (i.e. Proxy creation).
Finally, service providers implementing OCSP architectures based on Grid Services features like discovery and notification should also be considered as they may bring interesting advantages to this field."
.

-- Section 11
   I'm not sure whether the statement of OCSP policies and Grid
   Services fits inot the document spirit...

We agree in deleting reference to Grid Services at this moment. However OCSP Policies proposal have the objective of "customizing" the behaviour of OCSP services in a Grid environment by defining several of the parameters mentioned in the document. At this time we are working in a prototype to show such convenience so when it is ready we may be able to send you the related information.

-- Section 14
   replaced the Authorized Responder definition by a citation form
   RFC2560
   - are we really going to have a Definitions section? If so, it
     would probably look better if we include some more of them ;)

On a second thought this section can be deleted as the only definition was already mentioned in sections 4 and 8.1
Taking a closer look to the document we could not find another term suitable to fit as a "definition", however is someone else has a proposal it may be the time to talk about it.

    Regards

By the way, we have a couple of additional questions more or less related with such document:
-On the GGF 14, is the CAOPS-WG planning to present some kind of talk or meeting about this document? We may have read something about if in the minutes from GGF 13, but were not sure...
-We are about to finish some testing of the integration of our OCSP classes into the Jglobus libraries, so we may use them into the GT4 Java Core and Proxy Init routines. Do you know any existing Grid benchmarks/loadtest environments/simulators that can be used to perform such testings? Any suggestions?

--

____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna@ac.upc.edu

Attachment: OCSP_Requirements_for_Grids_ms_ReplyOM_JLUNA.doc
Description: MS-Word document

Next by Date: [caops-wg] OCSP requirements - final(?) version uploaded
Next by thread: [caops-wg] OCSP requirements - final(?) version uploaded
Index(es):
- Date
- Thread