One potential way to solve this problem - without completely relying on OASIS or another organization to support this infrastructure for an indefinite period is ...
Download and configure OpenSSL to act as CA and OCSP. Issue a root CA certificate, and set up a few certificate profiles. Then zip up the package and upload it to IdTrust MS document repo. Then anyone can run it. Of course they might need to configure the OCSP endpoint and CRL distribution point DNS names in /etc/hosts to point to a local version. Also, someone could volunteer to run this infrastructure for a time, but if they should decide to stop supporting it, someone else could pick it up.
Regards,
Mike
kuehne---09/28/2009 09:44:36 AM---Hi Anil, OK, let's start !
Hi Anil,
OK, let's start !
But I consider the point of hosting of very important. If we start to set up an infrastructure and build testcases around, we must be sure that the infrastructure is build to last !
We want to build signatures using special certificates we talk about and we the test depend upon the availability of the referred
OCSP / CRL URLs to be dependable. That's the topic that makes me nag OASIS / IDTrust with this topic.
If an ad hoc infrastructure provided by some company breaks away the other day we're better off having nothing !
Another remark :
Due to my understanding there will be a given set of certificates and the related infrastructure. An aplication that is able to generate arbitrary broken certificates on demand is far beyond my needs. Not sure what other TC need, but I would like warn not to invest to much effort in a fully dynamic certificate genarator.
Greetings
Andreas
----- original Nachricht --------
Betreff: Re: [idtrust-sc] FW: [dss-x] IDtrust section funding interop ?
Gesendet: Mo, 21. Sep 2009
Von: Anil Saldhana<Anil.Saldhana@redhat.com>
> Hi Andreas,
> this is a good start.
>
> Regarding hosting, we will need a confirmation from Tomas that he will
> willing to provide an inconsistent CA before we think about hosting.
> This document will help in getting a confirmation from Tomas.
>
> Once the software is ready, we can discuss hosting.
>
> We will need to host it in a single place such that TCs that require
> certificates for testing can use it as well as TCs that require broken
> certificates can also get it from the same hosting location.
>
> At the moment, DSS-X and IMI TC are the only ones that require broken
> certificates. So the requirements has to come from these two TCs.
>
> Regards,
> Anil
>
> kuehne@trustable.de wrote:
> > Hi Dee,
> >
> > sorry that I didn't manage to make it clear :
> >
> > I just proposed something, that I consider useful for trust-related TCs.
> > I don't have any product / system ready.
> > I would like to gather requirements and expertise from the community.
> > One possible solution is 'not to host anything' at OASIS, but have a
> certain URL from OASIS to a remote URL established.
> >
> > Maybe the topic of hosting is a bit overvalued ...
> >
> > Greetings
> >
> > Andreas
> >
> > ----- original Nachricht --------
> >
> > Betreff: RE: Re: [idtrust-sc] FW: [dss-x] IDtrust section funding interop
> ?
> > Gesendet: Mo, 21. Sep 2009
> > Von: Dee Schur<dee.schur@oasis-open.org>
> >
> >
> >> Hi Andreas,
> >> Just to clarify.
> >> If you have some product that you want us to host, you should talk to us
> >> about hosting it and tell us what requirements it has. If you are
> looking
> >> for us to design something, it's outside of our expertise.
> >> If you can design something for us to host, we can talk to you about
> what
> >> development/hosting technologies you should use to ensure we'll be able
> to
> >> host it easily.
> >> I think it is a great idea to pursue this if possible.
> >> Awaiting your response!
> >> Dee
> >>
> >> Dee Schur, Member Support
> >> OASIS: Advancing open standards for the information society
> >> http://www.oasis-open.org
> >> +1.978.667.5115 x211
> >>
> >>
> >>
> >>
Original Message-----
> >> From: kuehne@trustable.de [mailto:kuehne@trustable.de]
> >> Sent: Sunday, September 20, 2009 3:21 PM
> >> To: Anil Saldhana; Dee Schur
> >> Cc: 'Idtrust-Sc'
> >> Subject: Re: Re: [idtrust-sc] FW: [dss-x] IDtrust section funding interop
> ?
> >>
> >> Hi Anil,
> >>
> >> attached you'll find my proposal fleshed with some more details. But
> >> defining a complete test set is a bigger effort. This could be the first
> >> step as proposed in my document.
> >>
> >> Dee, is there a simple way to set up a discussion mailing list ? Starting
> a
> >> TC would be oversized ...
> >>
> >> Greetings
> >>
> >> Andreas
> >>
> >> ----- original Nachricht --------
> >>
> >> Betreff: Re: [idtrust-sc] FW: [dss-x] IDtrust section funding interop ?
> >> Gesendet: Di, 08. Sep 2009
> >> Von: Anil Saldhana<Anil.Saldhana@redhat.com>
> >>
> >>
> >>> Hi Andreas,
> >>> do you have any ideas as to what in the certificates issued by the CA
>
> >>> needs to be broken, for testing by DSS-X. Is it exceptions , broken
> >>> signatures etc?
> >>>
> >>> I recall from the last IDTrust SC meeting that we had requested the TC
> >>> to come out with a test plan or such. Any information that you provide
>
> >>> will be useful to pass on to Tomas (ejbCA) to evaluate the possibility
> >>> of providing such a CA.
> >>>
> >>> Regards,
> >>> Anil
> >>>
> >>>
> >>> Anil Saldhana wrote:
> >>>
> >>>> Many TCs will need PKI server for testing. EKMI is one of them, I
> >>>> guess. Tomas (PrimeKey) agrees with me that we should be able to host
>
> >>>> a test server, for zero to low cost. The PKI server will do ocsp for
> >>>> you. Tomas is the creator of ejbCA.
> >>>>
> >>>> Dee, the question will be where to host this? Does Oasis have a spare
>
> >>>> box that is publicly available?
> >>>>
> >>>> Dee Schur wrote:
> >>>>
> >>>>> Hey Andreas,
> >>>>> Can you join the IDtrust meeting on 2 September to discuss your
> >>>>> ideas? See
> >>>>> StC comments below.
> >>>>> Best,
> >>>>> Dee
> >>>>>
> >>>>>