<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffcc" text="#000000">
Hi Stephen, <br>
<br>
Yes, we should have this conversation. The basic idea is the fewer
certs the better. The more security savvy folks than myself should
feel free to elucidate the finer points. Perhaps the single
subordinate CA can have its cert in a chain downstream from verisign
thus providing the clients (browsers et. al) to be able to verify it
against something like Verisign's cert and the ESGF's 'superior'
CA's cert as well? This makes sense to me but I certainly defer to
the wisdom of those who know more. <br>
<br>
We should not break anyone's system... that is for sure :-).<br>
<br>
On 6/2/11 1:19 AM, <a class="moz-txt-link-abbreviated" href="mailto:stephen.pascoe@stfc.ac.uk">stephen.pascoe@stfc.ac.uk</a> wrote:
<blockquote
cite="mid:4C353E6E4A08AE4792B350DAA392B52119E347@EXCHMBX01.fed.cclrc.ac.uk"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
span.apple-tab-span
        {mso-style-name:apple-tab-span;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">So Gavin, to summarise what I think you've said:
the installer will allow you to use a cert signed by any CA
but you are proposing the ESGF system should use a single
ESGF CA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">How is this going to work for users accessing
over HTTPS? Are we going to require them to install the
ESGF CA in their browser or will the node use a separate
cert for intra-federation communication to that used for
user-facing HTTPS? Can tomcat do that?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">Also this idea already excludes the CEDA MyProxy
server which is used for more than just ESGF. I see the
attraction of a single CA but I'm not sure it's going to
work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);">Stephen.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">---<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">Stephen
Pascoe +44 (0)1235 445980<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">Centre of
Environmental Data Archival<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">STFC
Rutherford Appleton Laboratory, Harwell Oxford, Didcot
OX11 0QX, UK<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"><o:p> </o:p></span></p>
<div>
<div style="border-right: medium none; border-width: 1pt
medium medium; border-style: solid none none; border-color:
rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color;
padding: 3pt 0cm 0cm;">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family:
"Tahoma","sans-serif"; color:
windowtext;" lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family:
"Tahoma","sans-serif"; color:
windowtext;" lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:go-essp-tech-bounces@ucar.edu">go-essp-tech-bounces@ucar.edu</a>
[<a class="moz-txt-link-freetext" href="mailto:go-essp-tech-bounces@ucar.edu">mailto:go-essp-tech-bounces@ucar.edu</a>] <b>On Behalf Of
</b>Gavin M. Bell<br>
<b>Sent:</b> 02 June 2011 01:47<br>
<b>To:</b> Cinquini, Luca (3880)<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>;
<a class="moz-txt-link-abbreviated" href="mailto:esg-node-dev@lists.llnl.gov">esg-node-dev@lists.llnl.gov</a><br>
<b>Subject:</b> Re: [Go-essp-tech] [esg-node-dev] Re:
Question on P2P and signing of registry docs<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi, <br>
<br>
Dean and Rachana are on the case.<br>
I am sure when they have something they'll let us know.<br>
<br>
As it stands right now... the script generates the CSR that
you can submit to get signed. If you already have a keypair
you can use that and call esg-node --install-keypair and it
will do the right things. So who you use to sign your CSR is
up to you... and as I mentioned if you already have a keypair
you can directly use it. :-). Everyone is free to do as they
wish. :-)<br>
[note: you have to have all the certs in the cert chain if
your CA's cert is in a chain]<br>
<br>
There is no single point of failure in this scenario. The
only thing that matters is that you have your CA's public cert
in your truststore and /etc/grid-security. You don't need to
communicate to the CA at all, you just need them to sign an
provide you their cert. Done.<br>
<br>
Essentially we would be establishing membership (those that
can be authenticated thus trusted to talk to) in a peer2peer
mesh network by the CA that vouches for that network. There
should only be one per mesh. In our case that "one" is ESGF
but there is no barrier to having a peer support one or many
CAs... well, except if you want your clients to use Safari
;-).<br>
<br>
Another note about the installer... the installer under
--install-keypair will take the keypair you give it and
convert and insert it into your keystore as well as
/etc/grid-security... It is the same cert in two formats.
Thus the entire node is represented by one DN that is used for
gridftp and tomcat. The idea there is to minimize the amount
of certs you have to manage. Don't confuse this with the
ability to recognize and validate against all the certs you
encounter by putting them in the truststore and
/etc/grid-security/certs.<br>
<br>
P.S.<br>
Pardon, yes I did mean Estani and everyone on the list, etc...
:-) and you.<br>
<br>
On 6/1/11 4:28 PM, Cinquini, Luca (3880) wrote: <o:p></o:p></p>
<p class="MsoNormal">Hi Gavin, <o:p></o:p></p>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>I
think you meant "Estani"...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Anyway, I like the idea of a single ESGF
CA. Can we make it happen ? Maybe at installation time you
can be given the option of generating your own cert (so that
we don't completely make ourselves depending on a single
point of failure), or have it signed by another CA. What
would be the best location for such a CA - PCMDI or ANL
perhaps ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">thanks, Luca<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Gavin M. Bell<o:p></o:p></pre>
<pre>Lawrence Livermore National Labs<o:p></o:p></pre>
<pre>--<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> "Never mistake a clear view for a short distance."<o:p></o:p></pre>
<pre> -Paul Saffo<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>(GPG Key - <a moz-do-not-send="true" href="http://rainbow.llnl.gov/dist/keys/gavin.asc">http://rainbow.llnl.gov/dist/keys/gavin.asc</a>)<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E<o:p></o:p></pre>
</div>
<br>
<p>-- <br>
Scanned by iCritical.
</p>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Gavin M. Bell
Lawrence Livermore National Labs
--
"Never mistake a clear view for a short distance."
         -Paul Saffo
(GPG Key - <a class="moz-txt-link-freetext" href="http://rainbow.llnl.gov/dist/keys/gavin.asc">http://rainbow.llnl.gov/dist/keys/gavin.asc</a>)
A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E
</pre>
</body>
</html>