CA Operations GGF 9 Chicago October 6 th, 2003
Agenda Intellectual Property statement Ø WG Admin Ø l l Randy Butlers retirement Darcy Quesnel drafted Minutes of last meeting Ø Last call update Ø Document review Ø l l l Ø Policy Management Authority Doc Certificate Profile Doc Grid Common CA naming practices Future efforts l SCVP
Working Group Admin Second Note taker Ø Minutes of last meeting Ø Co-chair change Ø l l Ø Grid Forge site l Ø Randy Butler - Retirement Darcy Quesnel – drafted http: //forge. gridforum. org/projects/caops-wg/ Last call Documents l l PDS Automated Client Certs
Document Review Ø Policy Management Authority Ø Grid Common CA Naming Practices Ø Certificate Profile
Grid PMA Charter doc Ø Returned for Tokyo GGF-7 l l Too many references to GGF PMA Hence needs refocussing Ø Changes Mar-May 2003 l l Refocus Gietz / Cowles edits Ø Missed GGF-8 l DOEGrids CA release
Grid PMA (2) Changes Ø Peter Gietz l l Ø More general abstract Directory references Suggestion about restructuring section 6, By-laws Suggested expanding examples Bob Cowles l l New co-author added ~ Tokyo Extensive changes thru out Sections 2 -4 Language, wording, clarifications &c Look at the different versions to appreciate • http: //www. lbl. gov/~mike/. . . Ø Editorial changes l l (MWH) Rewrote introduction Suspend suggestions (removed)
Grid PMA (2) Changes Ø Peter Gietz l l Ø More general abstract Directory references Suggestion about restructuring section 6, By-laws Suggested expanding examples Bob Cowles l l New co-author added ~ Tokyo Extensive changes thru out Sections 2 -4 Language, wording, clarifications &c Look at the different versions to appreciate • http: //www. lbl. gov/~mike/. . . Ø Editorial changes l l (MWH) Rewrote introduction Suspend suggestions (removed)
Grid PMA (3) Changes (2) Ø Introduction Deleted obsolete, GGF PMA language; now describes problem, justifies work better. Stilted, wordy Section 2 Scope Removed some introductory material Ø Remaining sections l Ø Is the balance correct? Editorial changes (wording, mostly deletions) Suggestions l Decided to delete most of these (for now) • Latitude for PMA to decide on its own (By-Law structure) • Interest, time (expanding on known PMA’s) • Possible successor task (federation groups)
Grid PMA (4) Plans Ø Convergence by authors: l A couple suggestions: • Succession/expulsion • Committee assignments (from DOE CP) l Ø Ø Ø Feedback from CAOPS Last call again Expect 2 editorial passes l l Ø Eg, “Naming Authority” – see DOE CP 1. 3. 1 One from me One caused by GGF Doc process Discussion….
Grid Certificate Extensions Profile Ø Thesis: consistent usage of X. 509 extensions promotes interop l Hence a Really Good Thing Subtext: what is the minimum Ø Interactions: Ø l l l Ø Proxy cert draft/support Cert types/usage Requirements in XML-based solutions Where are we? l l One nibble from Matt Crawford (during my black hole period) Is this interesting? Who can help, and to what end?
Grid Common Naming Ø Thesis: consistency about URL’s (naming &c) of common CA features would simplify decision making process & operations l Hence a Really Good Thing Create a best practices recommendation Ø Complement cert extensions document Ø Where are we? Ø l l Is this interesting? Who can help, and to what end? Needs some revision; we have learned more things
Simple Certificate Validation Profile (SCVP) Ø IETF-PKIX search for … the abstract says it all: SCVP allows a client to offload certificate handling to a server. The server can provide the client with a variety of valuable information about the certificate, such as whether the certificate is valid, a certification path to a trust anchor, and revocation status. SCVP has many purposes, including simplifying client implementations and allowing companies to centralize trust and policy management. See draft-ietf-pkix-scvp-12. txt and RFC 3379 (Delegated Path Validation and Delegated Path Discovery Protocol Rqmts) Ø DPV & DPD : Lite wt client evaluates a cert, using a server Ø l l l Tell me what I want to know about this cert: should I trust it? &c DPD – data acquisition DPV – evaluation
SCVP (2) Ø Motivation DOEGrids released a new CA infrastructure in 2003. Our community had tremendous difficulties absorbing new CA. Ø GSI/openssl DOES NOT SCALE Ø Client side (proxy generation) is too heavy Ø Result: Market limitations, bad decisions (compromises) &c
SCVP (3) Can this PKIX effort help us? Ø Asks the right questions Ø Reflects some industry interest in “our” problem Ø DPV/DPD and SCVP represent a lot of work on solution Ø SCVP seems capable of more flexibility
SCVP (4) Negatives Ø ASN. 1 Ø Public domain support Ø Industry support Ø Conflict with XKMS l l Cite discussion with XKMS author To me, they appear to be in same niche, but use cases don’t match
SCVP (5) Need for a Project Ø SCVP nears completion in IETF Ø Need for a Grid-(SCVP) Ø We don’t need the whole solution (X. 500) Ø We probably need some other things l Legacy support Ø Need development Ø Discussion of applicability & direction
Скачать презентацию CA Operations GGF 9 Chicago October 6 th
1fcd72ce06c91d4d5e19381768460454.ppt