Template Profile

Jens Jensen, STFC RALGridNet2/ UK e-Science CA

OGF22 Boston

The Problem

MINREQ

BestPractice

CA policy

CA practicestatement

CAPRACTICE

Check consistency

New Policies

• Usually written by novice CA mgr– Using bits from other CP/CPSes

• Accentuate the positive– All the good bits get copied around

• Eliminate the negative– All the bad bits get copied around

Problem

• Policies become inconsistent• Don’t satisfy minimal requirements• Need many iterations with reviewer

– Bad for CA manager– Bad for reviewer

Common Examples• RA checking CRL

– 4.5.2 MUST at time of reliance– 4.9.6 MUST at time of reliance– 9.6.4: “according to their satisfaction”

• Email both confidential and not• Flood protection at 1.2 metres on

1st floor

Is it a big problem?

• We already cover half the world• But there is another half

Proposed Solution?• Working group on Template Profile

– Jens, David G, Milan, Anders, Vinod, David O'C, Mike, Sergey, Hardi

• Get the “best” bits from policies• Living document – but needs an

editor• Reviewers best to write/contrib• Become an IGTF document

Status

• …er, not really started yet• Amsterdam meeting Jan 2008

Piecing it together

• Easier to set up new CP/CPS– Too easy?

• Easier to get it right sooner– Often many, many, iterations are

req’d– Greatly delays Accreditation

Operational Reviews

• TAGPMA are leading in this area– Template for operational review– But a reviewer still needs to read the

CP/CPS!!– Quicker if many bits known to be good

• APGridPMA auditing for accreditation– Yoshio’s auditing procedure

Operational Reviews

• Highlight:– Which bits are canonical– Which bits are based on guides– Which bits are changed since

previous version

Piecing it together• Delaying Accreditation is bad

– Reviewers are already overloaded– (Not necessarily with reviews but with real

life jobs)– Time consuming for new CAs

• Get new CAs in early (PMAs)– Not after the policy is written

Pieceing it together

• Not aiming for machine parseable• Or should we?

– (Chadwick, Coghlan/O’Callaghan)

• TAGPMA guide to writing CP/CPS

RFC 3647

What about existing CAs

• Leave alone, for now• Some not satisfying minreqs• Minreqs change, too

– Mythical six months to update

Back on track…?

• Urgent changes - Aggressive option– Do it in six months or else

• Medium urgency– Address with next CP/CPS change– At least before next PMA presentation

• Lower urgency– Discuss at next presentation

Summary

• Template profile– Approved text for sections where it

makes sense– Approved guidelines (cf TAGPMA) for

other sections– Open bits– Get new CAs in early