<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="#FFFFCC" lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So Gavin, to summarise what I think you've said: the installer will allow you to use a cert signed by any CA but you are proposing the ESGF system should use
a single ESGF CA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">How is this going to work for users accessing over HTTPS? Are we going to require them to install the ESGF CA in their browser or will the node use a separate
cert for intra-federation communication to that used for user-facing HTTPS? Can tomcat do that?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Also this idea already excludes the CEDA MyProxy server which is used for more than just ESGF. I see the attraction of a single CA but I'm not sure it's
going to work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Stephen.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas;color:#1F497D">---<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas;color:#1F497D">Stephen Pascoe +44 (0)1235 445980<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas;color:#1F497D">Centre of Environmental Data Archival<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas;color:#1F497D">STFC Rutherford Appleton Laboratory, Harwell Oxford, Didcot OX11 0QX, UK<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> go-essp-tech-bounces@ucar.edu
[mailto:go-essp-tech-bounces@ucar.edu] <b>On Behalf Of </b>Gavin M. Bell<br>
<b>Sent:</b> 02 June 2011 01:47<br>
<b>To:</b> Cinquini, Luca (3880)<br>
<b>Cc:</b> go-essp-tech@ucar.edu; esg-node-dev@lists.llnl.gov<br>
<b>Subject:</b> Re: [Go-essp-tech] [esg-node-dev] Re: Question on P2P and signing of registry docs<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi, <br>
<br>
Dean and Rachana are on the case.<br>
I am sure when they have something they'll let us know.<br>
<br>
As it stands right now... the script generates the CSR that you can submit to get signed. If you already have a keypair you can use that and call esg-node --install-keypair and it will do the right things. So who you use to sign your CSR is up to you... and
as I mentioned if you already have a keypair you can directly use it. :-). Everyone is free to do as they wish. :-)<br>
[note: you have to have all the certs in the cert chain if your CA's cert is in a chain]<br>
<br>
There is no single point of failure in this scenario. The only thing that matters is that you have your CA's public cert in your truststore and /etc/grid-security. You don't need to communicate to the CA at all, you just need them to sign an provide you their
cert. Done.<br>
<br>
Essentially we would be establishing membership (those that can be authenticated thus trusted to talk to) in a peer2peer mesh network by the CA that vouches for that network. There should only be one per mesh. In our case that "one" is ESGF but there is no
barrier to having a peer support one or many CAs... well, except if you want your clients to use Safari ;-).<br>
<br>
Another note about the installer... the installer under --install-keypair will take the keypair you give it and convert and insert it into your keystore as well as /etc/grid-security... It is the same cert in two formats. Thus the entire node is represented
by one DN that is used for gridftp and tomcat. The idea there is to minimize the amount of certs you have to manage. Don't confuse this with the ability to recognize and validate against all the certs you encounter by putting them in the truststore and /etc/grid-security/certs.<br>
<br>
P.S.<br>
Pardon, yes I did mean Estani and everyone on the list, etc... :-) and you.<br>
<br>
On 6/1/11 4:28 PM, Cinquini, Luca (3880) wrote: <o:p></o:p></p>
<p class="MsoNormal">Hi Gavin, <o:p></o:p></p>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>I think you meant "Estani"...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Anyway, I like the idea of a single ESGF CA. Can we make it happen ? Maybe at installation time you can be given the option of generating your own cert (so that we don't completely make ourselves depending on a single point of failure),
or have it signed by another CA. What would be the best location for such a CA - PCMDI or ANL perhaps ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">thanks, Luca<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Gavin M. Bell<o:p></o:p></pre>
<pre>Lawrence Livermore National Labs<o:p></o:p></pre>
<pre>--<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> "Never mistake a clear view for a short distance."<o:p></o:p></pre>
<pre> -Paul Saffo<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>(GPG Key - <a href="http://rainbow.llnl.gov/dist/keys/gavin.asc">http://rainbow.llnl.gov/dist/keys/gavin.asc</a>)<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E<o:p></o:p></pre>
</div>
<br><p>--
<BR>Scanned by iCritical.
</p>
<br></body>
</html>