On Jul 23, 2008, at 10:43 AM, Von Welch wrote:
I second Charles here. These is a definite need for a method for
users to get bootstrapped with X.509 certificates without the whole
overhead of a PKI.
We are probably to the point where a MyProxy on-line CA could do
this better than SimpleCA (IMHO), but there is some documentation
required.
I was willing to write the documentation for the onlineCA for the 4.2
quickstart, but I have the problem that MyProxy won't auto-build with
PAM if it is available, so it doesn't make it into our source/binary
installers without some tweaking. It has been suggested that I could
detect PAM in my top-level configure and then tell MyProxy to build
with PAM if I find it, but I obviously didn't get that done for
4.2.0. Is that something you guys might be able to help with? I
absolutely love the PAM integration for passwords, it's great for the
size/kind of thing the quickstart is aiming for.
Charles
Von
Charles Bacon wrote:
On Jul 23, 2008, at 8:37 AM, Alan Sill wrote:
These observations are correct. For any extended (i.e., non-test)
grid with any intention to operate in a CA an accredited manner,
however, the use of SimpleCA would not be recommended in any case.
Personally, I wish the Globus team would de-emphasize its
inclusion of SimpleCA and decouple it from the Globus documentation.
If you can recommend an alternative that would get new users up and
running in a demo environment, I would love to hear about it. The
problem, to me, looks like a trade-off between users being turned
off because they cannot get the software up and running to play
with it and the problems users face when deciding to stop using
simpleCA and use a real CA. I would much rather get people up and
running as quickly as possible than have them decide not to try it
at all because they do not know how to pick a CA to use or similar
problems.
If you look outside of the quickstart, I don't think we mention
SimpleCA very much at all.
Charles
Alan
On Jul 22, 2008, at 3:53 PM, Joel Schneider wrote:
The following documents contain additional information relevant
to this
topic:
http://www.ogf.org/documents/GFD.125.pdf
http://www.eurogrid.org/ca/eurogrid-ca-policy.pdf
The EUROGRID document describes steps taken in November 2002 to
discontinue usage of the "nsCertType" extension, and the OGF
document
specifies a policy that hash algorithms with known weaknesses,
such as
MD5, must not be used in new certificates.
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: [EMAIL PROTECTED] ph. 806-742-4350 fax 806-742-4358 :
====================================================================
