We probably need to add some text like this to the quickstart so
people know what to do. For the quickstart, though, I still want it
to be "on rails" - I don't like introducing moments of choice into the
quickstart. Those, to my mind, are a job for the real toolkit
documentation. The quickstart should be a copy-and-pastable guide to
getting a working system up and running. That's my problem with
saying something like "Now go find a CA that will issue credentials to
you, and follow whatever their process is for signing up for those".
Also, I now believe that I don't understand your objections to
SimpleCA in an exact way. What's so different about running
simpleauthority or openca from simpleca? I thought part of your point
was that users should be using 'official' CAs rather than running
their own.
Charles
On Jul 23, 2008, at 10:46 AM, Alan Sill wrote:
For demo sessions and quick certs that obey current guidelines, I
personally use a combination of the following resources. More
advanced ones are available; certainly the best advice for large-
scale grids (as noted by the originator of the message thread) is to
use certificates from CAs that obey current OGF guidelines. These
are not just "rules," but a set of best practices assembled from
long working experience that can help to resolve some of the
ambiguities in how to set up a CA so that the resulting certificates
will work well in the context of grid use and avoid some of the
pitfalls along the way.
The CAs that belong to the International Grid Trust Federation
(IGTF) (link: http://www.igtf.net -- note, replaces former URL of http://gridpma.org
) have all agreed to do so. Between them, these CAs cover most of
the globe. If you are working in a large-scale science project, it
is almost certainly possible to build a relationship with an IGTF
CA. This is almost always a better path to follow than running your
own CA. In any case, following the guidelines will save you from
many headaches along the way, gaining you the benefit of much
accumulated experience of others:
Tools:
For demos and quick use generating certificates with a GUI: - I
suggest Simple Authority (free for up to 4 users, commercial after
that, can publish to LDAP and generate CRLs, available for Linux,
Mac OS X and Windows):
http://simpleauthority.com/
For more general-purpose use:
OpenCA (robust open source CA software, can require extensive
configuration, used by some IGTF CAs):
http://openca.org
There are many, many others, but the above can solve most of your
"getting started" needs faster than fussing from scratch with
SimpleCA, I think. (Disclaimer: not affiliated with the above
projects, etc.)
If you'd like to find out more:
TACAR (community-run free site secured by a commercial certificate
to provide a secure place to download IGTF and other CA certificates
for use in your browser, etc):
https://www.tacar.org/repos/
IGTF (as described above, an international community of CAs
conforming to published criteria and guidelines):
http://www.igtf.net
(In the Americas: The Americas Grid Policy Mnagement Authority http://tagpma.org
)
CA-Ops Work Group
https://forge.gridforum.org/sf/projects/caops-wg
and in particular
https://forge.gridforum.org/sf/go/doc13741
Disclaimer: I am a member of the IGTF and CA-Ops WG and have done
work with TAGPMA. I believe it's the difference between being given
a bunch of parts as opposed to working with a running engine, and
believe that the Globus documentation should be amended to reflect
that fact.
For those who prefer working with non-PKI alternatives, let me point
out that the grid PMAs that comprise the IGTF have extensive
engagement with the non-PKI community, and many of the IGTF CAs
operate accredited Shibboleth-, MyProxy-, and LDAP-interfaced CAs
already with a high degree of functionality. The above links area
great place to go if you would like to find out more.
Hope this helps,
Alan
On Jul 23, 2008, at 10:00 AM, Charles Bacon wrote:
If you can recommend an alternative that would get new users up and
running in a demo environment, I would love to hear about it. The
problem, to me, looks like a trade-off between users being turned
off because they cannot get the software up and running to play
with it and the problems users face when deciding to stop using
simpleCA and use a real CA. I would much rather get people up and
running as quickly as possible than have them decide not to try it
at all because they do not know how to pick a CA to use or similar
problems.
If you look outside of the quickstart, I don't think we mention
SimpleCA very much at all.
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: [EMAIL PROTECTED] ph. 806-742-4350 fax 806-742-4358 :
====================================================================