CA OPS WG GGF18 Sep 12 2006 Agenda: OCSP Roundup, Jesus Luna Audit Guidelines, Yoshio Tanaka Authentication Profiles, Tony Genovese Certificate Profile, David Groep Glossary, David Groep Minutes: Darcy noted the GGF/OGF IP policy and reviewed the agenda. Tony Genovese introduced the "Guidelines for Authentication Service Profiles for Grids" document. New authentication profiles are being discussed in the IGTF: Short Lived Certificate Services, Member Integrated Certificate Services This document lists items that each authentication profile should contain. The current version is simplified from an earlier version. Q: Is this applicable to campus identity providers or to the federated operator who is aggregating the information about campus identity providers? A: Both. Anybody who works with Grids. There was some discussion of the use of "federation" in this document and if it's consistent with other uses of that term. Q: What is the relying party's role? A: The relying parties provide requirements. Q: Can you assign levels of trust to an authentication service? A: Yes, for example GFD.16 addresses this. Comment: This document describes current practice, and we may need a different document to support new practices such as Shibboleth use in grids. Q: Does this document need to discuss federations at all? A: These profiles are used by the IGTF PMAs (federations). Are there any issues on content for the 11 points in the document? Please read the document and discuss on the mailing list. David Groep presented the Grid Certificate Profile document (see slides). Q: Are service certificate addressed? A: Yes, this is covered in the end-entity section. Q: Why get rid of uid? The LDAP standard says you should use uid instead of CN in some cases. A: The issue is "userid" versus "uid". It's a software compatibility issue. Part of the aim of the document is to document what works and what doesn't work in today's software. Q: Why does section 3.3.11 say subjectAltName must be present? A: It's from the Classic Profile. David changed it to SHOULD. Q: Should emailAddress be a requirement? A: Some CAs don't include it for privacy reasons. The group agreed with the proposal to bring the document to last call in the next few months. David Groep presented the need for a glossary maintained on a wiki (see slides). Comment: How do we get participation from other communities, such as the Shibboleth community? Q: Is this glossary to explain terms used by this group or to define how these terms are defined in the real world? A: More to bring consistency to what this group is doing. Comment: Can we bring in terms from existing GGF security glossary documents? Yes, let's do that. Q: Should the glossary restrict itself to X.509 only or should it try to include more general definitions? How does the glossary impact current documents? We can allow multiple definitions in cases of conflict.