For demo sessions and quick certs that obey current guidelines, I
personally use a combination of the following resources. More
advanced ones are available; certainly the best advice for large-scale
grids (as noted by the originator of the message thread) is to use
certificates from CAs that obey current OGF guidelines. These are not
just "rules," but a set of best practices assembled from long working
experience that can help to resolve some of the ambiguities in how to
set up a CA so that the resulting certificates will work well in the
context of grid use and avoid some of the pitfalls along the way.
The CAs that belong to the International Grid Trust Federation (IGTF)
(link: http://www.igtf.net -- note, replaces former URL of http://gridpma.org
) have all agreed to do so. Between them, these CAs cover most of the
globe. If you are working in a large-scale science project, it is
almost certainly possible to build a relationship with an IGTF CA.
This is almost always a better path to follow than running your own
CA. In any case, following the guidelines will save you from many
headaches along the way, gaining you the benefit of much accumulated
experience of others:
Tools:
For demos and quick use generating certificates with a GUI: - I
suggest Simple Authority (free for up to 4 users, commercial after
that, can publish to LDAP and generate CRLs, available for Linux, Mac
OS X and Windows):
http://simpleauthority.com/
For more general-purpose use:
OpenCA (robust open source CA software, can require extensive
configuration, used by some IGTF CAs):
http://openca.org
There are many, many others, but the above can solve most of your
"getting started" needs faster than fussing from scratch with
SimpleCA, I think. (Disclaimer: not affiliated with the above
projects, etc.)
If you'd like to find out more:
TACAR (community-run free site secured by a commercial certificate to
provide a secure place to download IGTF and other CA certificates for
use in your browser, etc):
https://www.tacar.org/repos/
IGTF (as described above, an international community of CAs conforming
to published criteria and guidelines):
http://www.igtf.net
(In the Americas: The Americas Grid Policy Mnagement Authority http://tagpma.org
)
CA-Ops Work Group
https://forge.gridforum.org/sf/projects/caops-wg
and in particular
https://forge.gridforum.org/sf/go/doc13741
Disclaimer: I am a member of the IGTF and CA-Ops WG and have done work
with TAGPMA. I believe it's the difference between being given a
bunch of parts as opposed to working with a running engine, and
believe that the Globus documentation should be amended to reflect
that fact.
For those who prefer working with non-PKI alternatives, let me point
out that the grid PMAs that comprise the IGTF have extensive
engagement with the non-PKI community, and many of the IGTF CAs
operate accredited Shibboleth-, MyProxy-, and LDAP-interfaced CAs
already with a high degree of functionality. The above links area
great place to go if you would like to find out more.
Hope this helps,
Alan
On Jul 23, 2008, at 10:00 AM, Charles Bacon wrote:
If you can recommend an alternative that would get new users up and
running in a demo environment, I would love to hear about it. The
problem, to me, looks like a trade-off between users being turned
off because they cannot get the software up and running to play with
it and the problems users face when deciding to stop using simpleCA
and use a real CA. I would much rather get people up and running as
quickly as possible than have them decide not to try it at all
because they do not know how to pick a CA to use or similar problems.
If you look outside of the quickstart, I don't think we mention
SimpleCA very much at all.
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: [EMAIL PROTECTED] ph. 806-742-4350 fax 806-742-4358 :
====================================================================
