Re: [pki-testing] Subcommittee start-up

[Arshad Noor <arshad.noor@strongauth.com>]

Sorry to hear about your accident, Paul; that explains why I
hadn't heard from you in a while.  Hopefully, all is well now.

One of the difficulties of inter-operability testing in PKI is
that people have different notions of what it means.  It might
be useful for us to establish an anchor first, so we know what
the basis is.

For example, the DRAFT plan focuses on three capabilities:

1) Signing
2) E-mail
3) E-Commerce

Since #1 is a capability, and #2 & #3 are really applications, it
might be better to redefine the capabilities separately, and then
establish the applications that we want to test interoperability
with.

I propose that we define five (5) capabilities:

1) Signing;
2) Encryption;
3) Certificate-based authentication (which really is a
    derivative of #1, but we'll list it separately anyway);
4) Certificate validation using OCSP;
5) Certificate validation using CRLDP;

Given these capabilities, the 2 most important applications are

a) E-mail
b) E-commerce

While e-mail is simple enough, e-commerce is really a collection
of functions; it may become necessary to zone in on what specific
activities within e-commerce do we want to test the above five
capabilities.  Since I (fortunately, or unfortunately :-)) have
the task of clarifying "e-commerce" as part of the Applications
Guidelines SC, I will take it upon myself to provide more detail
there in a few weeks (I'm out of the office all of next week).

I would recommend that we look at OpenSSL or Mozilla for a vendor-
independent suite of test tools.  Both libraries have the ability
to verify all 5 capabilities (from an RP's perspective), and we
should consider using one or both of these tools.

Arshad Noor
StrongAuth, Inc.



Evans Paul wrote:
> Many apologies to all of you for this late start.  Between an illness,
> recovering from a vehicle accident and catching up with my real job, I
> have found it difficult to start the sub-committee work.
> 
> At this point we have four members:
> - Myself
> - XiaoLi Dong
> - Shivangi Nadkarni
> - Arshad Noor
> 
> I have attached the Draft Implementation Plan for Testing.   Please
> review of our tasks.  We may want to revise the action items and will
> need to change the schedule to reflect our late start.
> 
> Because of the small size of the team, I don't feel it is realistic to
> expect that we are going to develop test suites,  perform testing or
> hold testing events.  The following is a list of items that I think we
> can do:
> - identify and work with organizations that have experience in test
> suite development and testing
> - create a publicly accessible reference source that consolidates the
> work already completed, underway or planned
> - publicize the efforts by those organizations
> 
> I also think we might work some on expanding the team. If you know of
> anyone that might be a good contributor who is employed by an OASIS
> member or is an individual member, please reach out to them and try to
> recruit them.
> 
> You'll find that I am very flexible in how we go forward with our work.
> We can probably do most of our collaboration through this email list.
> Please don't hesitate to request a telephone conference if you would
> like one.  I think I am permitted to use my company's service, so
> arranging one should be pretty easy.
> 
> So let's get started!  I'd like you to share your thoughts with the
> sub-committee within the next week.  I'll be following up on this
> message with some thoughts of my own on the types of testing that we may
> want to consider and to talk about some of the conferences I've attended
> recently about where PKI is headed in the US government.
> 
> Hope to hear from you soon...
> 
> Paul Evans
> Testing Sub-Committee Chair
> 
> 
> 
>