David Groep IGTF Worried about reliability of CRL's APGridPMA update accredited 3 new CA's audited 2 CA's TAGPMA update SLCS document ok'ed plan 7 Latin American CA's plan 1 U.S. KCA EUGridPMA planning on dropping requirements to level 2 for HSM no objections, TeraGrid is ok with it PKIrisGrid accepted version control of the rpm distributions how often should the rpm be rebuilt and pushed out? more often is the consensus relying parties use their own distribution mechanisms for this monitoring systems like Nagios APGridPMA would like to run a Nagios mirror server communication about CA operations via PMA is a step forward? some of this information can be aggregated through Nagios may be a duplication of effort? grids have this? common mechanism like an RSS feed? can we publish escalation info, like phone number? status in a central place if local CA's are down? what is inaccessible? = Previous GGF roundup PMA model charter, done 1SCP policy, new document, Milan policies for experimental services, new document certificates for automated documents certificate extensions = Jesus Luna OCSP who can revoke certificates? how does certificate validation work by David Chadwick fit in? must deal with proxy certificates david groep or olle mulmo have to contribute autorized responder text will update document tommorrow with some text should an OCSP responder be used for blacklisting? delta crl's aren't handled by some clients what about suspended certificates? a lot of deployment strategies! needs some editing and input how are proxy certs revoked? the issuer is notified? is the url in the cert? in a config file? proxies in local OCSP responders? voms-proxy-init!? = David Groep Namespace Validation some middleware accepts overlapping namespaces the switch sign hierarchy as an example is both good and bad middleware development projects only implement positive rights this is a vulnerability! are relying party namespace constraints a good idea? yes, concensus why not use XACML? what about policy identifiers? a large european project will go ahead with the the current format we need middleware developers involved