From: dane@fnal.gov
Sent: Wednesday, December 10, 2003 1:13 AM
To: dg-eur-ca@services.cnrs.fr
Cc: nightwatch@fnal.gov; vo-project@fnal.gov
Subject: Questions on authentication responsibilities (revisited)


Looking back over the list, discussion on this topic trailed off in early October without a clear resolution from the burst of mail the end of September. Let me try and summarize what I understand to be the trends then toward answers to my 6 questions, at least as a (re)opening to the discussion.

Questions of who has what responsibilities in regards to
GSI authentication for this group of CA's subjects.

****

Q1]  Who is responsible for assuring that each subject is unique ?

A: The CAs have full responsibility for this. It should be specified in their CPS and complaints are addressed to the CA, and their PMA if needed.

Q2] Who is responsible for assuring that a certificate is issued to the appropriate entity ?

A: The CAs (through their RAs, if any) have this responsibility. Their standard of due diligence in assuring the proper connection is specified in the CPS and reviewed by the PMA. Complaints are addressed to the CA, and the PMA if needed.

Q3] Who is responsible for assuring that the CA's private key is well enough protected ?

A: The CAs have this responsibility. Their standard of due diligence is specified in the CPS and reviewed by the PMA. Complaints are addressed to the CA and the PMA.

Q4] Who is responsible for assuring that compromised identities are revoked ?

A1: CAs will honor all requests for revocation of certificates that demonstrate possession of the private key per its CPS. The method of making this request is currently determined by each CA. (Does the requestor has a responsibility to check that the request has completed
?) (Does the discoverer have responsibilities for advertising the discovery ? to whom ?)

A2: Exposure of an encrypted private keyfile is as yet an unresolved case.

Q5] Who is responsible for assuring that the private key is held ONLY by the subject (and entities the subject authorizes in compliance with the CPS of the issuing CA) ?

A: The subject user (or administrator for services) has responsibility for protecting the private key. The standard of due diligence is set how ? The user is trained in how to do this by whom ? Complaints are addressed to the VO of which the subject is a member (how is this determined ?)

Q6] Who is responsible for assuring that proxies are not stolen ?

A: The managers of services receiving delegated proxies are responsible for protecting those proxy credentials.  (Who determines what is an authorized use of a proxy and how is that relayed ?) The standard of due diligence is set by each service manager (and communicated to relying parties how ?) and reviewed how ?

Complaints are addressed to the service manager/officials at the hosting site/ the VO ?