On 5/26/11 11:59 AM, Alan Sill wrote:
On May 26, 2011, at 11:51 AM, Lukasz Lacinski wrote:
I would like to issue user credentials using a MyProxy server, MyProxy
CA and PAM. But I would like to avoid adding a certificate of the
MyProxy CA to /etc/grid-security/certificates. I am thinking of taking a
user credential signed by a IGTF-accredited CA (most of GridFTP servers
and client machines should trust that) and use this user credential in
MyProxy CA to sign other certificates. Is it possible to omit that way
the step of adding the MyProxy CA certificate to
/etc/grid-security/certificates?
No: user certificates to not have the proper X509v3 key usage
extension to allow certificate signing; usually only digital
signature, key encipherment, and data encipherment are enabled.
You can add any CA certificate to your server's certificate area, if
you trust the way that CA is run. If not, you shouldn't be using its
certificates; if so, what id the problem with adding it in?
If someone manages a client grid workstation, users have to ask him to
add a certificate of MyProxy CA they want to use from that workstation.
This is not a scalable solution and becomes a problem if that client
grid workstation offers a widely available web interface to client grid
tools.
Thanks,
Lukasz
