die 11/09/07, ad 20h04, Charles Bacon <[EMAIL PROTECTED]> dixit : > On Sep 10, 2007, at 9:31 AM, Olivier Ricou wrote: > > >I think I remember why I made my own scripts to get a CA and keys. > > > >Can someone explain me why we need a CA to make user or host keys ? > > > >I want grid-cert-request to make the private key and the request, > >nothing else. I can understand it may help users to get a message > >about sending the right file to the right mail address, but we > >should have an option to avoid that. > > PKI is based around trust anchors. CAs are these trust anchors. You > are not just getting keys like you use in SSH. You are getting X.509 > certificates. Certificates are signed by their issuer. The top- > level issuer is a certificate authority. > > Therefore, a CA is required to get user or host certificates.
I agree, but in my mail I never talk about certificates, just keys. A certificate is a key signed by the CA (with its private key) so you need the CA to do the certificates but not to do your keys. I can imagine my users making their own key and sending them to the CA for certification (it will be the CA's duty to check that the key belongs to the user, it will be the user's duty to get the CA public key and I see no reason why he should get it before). So I still think there is no reason to force the user to have a CA on his computer to run grid-cert-request (grid-cert-request just do keys, not certificates. It asks you at the end to send your request for certificate to the CA). I agree it can be easier for some users so I just ask for an option so I can use grid-cert-request without having a CA on my computer. Olivier. ps: Do you like this message of grid-cert-request? % grid-cert-request -help Can't find valid CA config files. Please make sure that you have installed and setup a CA setup package.
signature.asc
Description: Digital signature
