[caops-wg] OCSP & Proxy Certs
jluna at ac.upc.edu
Wed Jan 25 13:51:18 CST 2006
Mike's email is pretty comprehensive and there are several interesting
points to comment. I'll try to make it in a couple of emails (hope so!)...
Mike Helm wrote:
>Time limits - minutes to weeks (potentially longer)
I can see that these "longer lived" proxy certificates are like the kind
of credentials that you commented in your last email (something related
with OSG Consortium).
IMHO it looks like in the worst of the cases they can be treated like
EEC...or even SLC (which seems to be one hot topic at the in-progress
in any case hope we can found that they can be covered by the mechanisms
described the OCSP Reqs document (at a glimpse I don't see a reason for
>Services using proxy certs
>Will have access to the end entity certificate that
> tops the proxy chain
This is enough information for the OCSP Responder -should it be aware of
Proxy Certificates statuses-.
>SLCS - short lived certificate services
I was not aware of such concept, but reading the TAGPMA document at:
I've found that in section "4.3 Revocation" the following is stated: "It
is assumed that the Short Lived Certificates will not need to be revoked
because their life time is shorter
than the update cycle of most CRLs. If revocation is supported, then
revocation requests can be made by certificate holders, Site identity
managers and the SLCS CA.
These requests must be properly authenticated. Others can request
revocation if they can sufficiently prove compromise or exposure of the
associated private key.
Individual holders of a SLCS certificate must request revocation if the
private key pertaining to the certificate is lost or has been
compromised, or if the data in the certificate are no longer valid."
Most of the text is pretty similar to Mike's conclusions at the end of
this email and the interesting point here are from my point of view the
-Entities able to make revocation requests and even though the protocol
to use is not specified maybe we should take a similar text.
-However I don't agree at all with the "Others can request
revocation...." maybe it is too open and in our case should be
constrained to Mike's comments below ("Who can revoke....").
BTW in some place I read that SLC must contain AIA extension with OCSP
>Who can revoke proxy certs (or who wants to revoke them)?
>Let me list some possibilities, from less controversial to more,
>and then discuss some usage scenarios.
>- The EE certificate owner
>- A lower generation proxy cert from the chain
>- the proxy cert itself
>- the affected resource owner
>- a local security officer
>- The EE cert issuer or any member of that chain
>The latter Jesus mentioned in his message ... and it seems weird
My terrible mistake I was trying to express with words a concept related
to the "branch pruning" slide from the PPT being commented, where the
Proxy Cert should
be revoked in some entity above in its Cert Path has been revoked :)
>>From this I conclude that the only AIA that's safe is the EE's
>link to his issuing CA's OCSP responder; or, an OCSP server acting
>as a clearinghouse - community resource (like certiver, or the
>DOEGrids demo for EUGridPMA).
Here I would like to highlight again the possibility for the parties to
agree beforehand (at VO creation/planning) on a OCSP Responder
maybe different from AIA, so it may be necessary to let them the
flexibility to configure such agreed OCSP Responders at some level:
Maybe at the OCSP Policy/client configuration?
In any case it would be interesting to take the chance of current
EUGridPMA meeting maybe to pose the neccesity of having a (set of)
Trusted OCSP Responders which I understand is the clearinghouse Mike
mentioned here. I think that Tony Genovese is talking about a
Cert Validation Service so it would be interesting to hear about this topic.
>We should recommend CA operators include an AIA URL for OCSP, and
>stand up a server.
Or specified at a policy agreed beforehand as mentioned above.
>Since not every CA can do this, we should recommend some agency
>(IGTF? commercial?) stand up clearinghouse OCSP responders which
>can become well-known & trusted resources
Maybe at PMA's Authentication profiles or at some simmilar document this
could be reinforced in a near future. TERENA's TACAR repository could be
also a good idea
for a service like this and maybe interesting to mention there now that
NREN Grids are being
commented at their taskforces.
>A protocol for permitting authenticated updates (registering of
>revoked proxy certs) may need to be developed
Oscar and myself will try to comment something about this topic later,
as we have developed
such mechanisms at the CertiVeR project.
>OCSP client software must ignore "unknown" responses about proxy
>certs - no info is no info in this case.
OK, but should it be also a config option for those clients whose OCSP
provider does not
support proxy revocation?
>I am sure there is much more to say about this and other views.
>I have some document comments about some minor points but I have a
>plane to catch and will get back to that in a day or 2.
Have a nice travel Mike and hope to read from you soon!
Regards a todos!
o o o Jesus Luna Garcia | Polytechnic University of Catalonia
o o o PhD Student | Department of Computer Architecture
o o o phone: +34 93 401 7187 | Campus Nord. www.ac.upc.es
U P C fax: +34 93 401 7055 | C/Jordi Girona 1-3, Modul D6-116
E-mail: jluna at ac.upc.es | Barcelona 08034 SPAIN
More information about the caops-wg