<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
Why do we have to have only one cert? Why do we have to sign the
registry with tomcat's SSL certificate?<br>
Wouldn't it be much simpler if we leave the SSL alone (everyone does
as it pleases), we add a second p2p network centralized certificate
and we link them both somehow (a service perhaps?) so when doing a
p2p connection via SSL the SSL gets certified by the underlying p2p
certificate (perhaps sent via XMLSec)?<br>
<br>
Does this make sense / seems viable?<br>
<br>
Thanks,<br>
Estani<br>
Am 02.06.2011 18:53, schrieb Gavin M. Bell:
<blockquote cite="mid:4DE7BFF9.3030406@llnl.gov" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi Stephen, <br>
<br>
Yes, we should have this conversation. The basic idea is the
fewer certs the better. The more security savvy folks than myself
should feel free to elucidate the finer points. Perhaps the
single subordinate CA can have its cert in a chain downstream from
verisign thus providing the clients (browsers et. al) to be able
to verify it against something like Verisign's cert and the ESGF's
'superior' CA's cert as well? This makes sense to me but I
certainly defer to the wisdom of those who know more. <br>
<br>
We should not break anyone's system... that is for sure :-).<br>
<br>
On 6/2/11 1:19 AM, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stephen.pascoe@stfc.ac.uk">stephen.pascoe@stfc.ac.uk</a>
wrote:
<blockquote
cite="mid:4C353E6E4A08AE4792B350DAA392B52119E347@EXCHMBX01.fed.cclrc.ac.uk"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">So Gavin, to summarise what I
think you've said: the installer will allow you to use a
cert signed by any CA but you are proposing the ESGF
system should use a single ESGF CA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">How is this going to work for
users accessing over HTTPS? Are we going to require them
to install the ESGF CA in their browser or will the node
use a separate cert for intra-federation communication to
that used for user-facing HTTPS? Can tomcat do that?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">Also this idea already excludes
the CEDA MyProxy server which is used for more than just
ESGF. I see the attraction of a single CA but I'm not
sure it's going to work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">Stephen.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">---<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">Stephen
Pascoe +44 (0)1235 445980<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">Centre
of Environmental Data Archival<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 10.5pt;
font-family: Consolas; color: rgb(31, 73, 125);">STFC
Rutherford Appleton Laboratory, Harwell Oxford, Didcot
OX11 0QX, UK<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div style="border-width: 1pt medium medium; border-style:
solid none none; border-color: rgb(181, 196, 223)
-moz-use-text-color -moz-use-text-color; padding: 3pt 0cm
0cm;">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family:
"Tahoma","sans-serif"; color:
windowtext;" lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family:
"Tahoma","sans-serif"; color:
windowtext;" lang="EN-US"> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:go-essp-tech-bounces@ucar.edu">go-essp-tech-bounces@ucar.edu</a>
[<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:go-essp-tech-bounces@ucar.edu">mailto:go-essp-tech-bounces@ucar.edu</a>]
<b>On Behalf Of </b>Gavin M. Bell<br>
<b>Sent:</b> 02 June 2011 01:47<br>
<b>To:</b> Cinquini, Luca (3880)<br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>;
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:esg-node-dev@lists.llnl.gov">esg-node-dev@lists.llnl.gov</a><br>
<b>Subject:</b> Re: [Go-essp-tech] [esg-node-dev] Re:
Question on P2P and signing of registry docs<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi, <br>
<br>
Dean and Rachana are on the case.<br>
I am sure when they have something they'll let us know.<br>
<br>
As it stands right now... the script generates the CSR that
you can submit to get signed. If you already have a keypair
you can use that and call esg-node --install-keypair and it
will do the right things. So who you use to sign your CSR
is up to you... and as I mentioned if you already have a
keypair you can directly use it. :-). Everyone is free to
do as they wish. :-)<br>
[note: you have to have all the certs in the cert chain if
your CA's cert is in a chain]<br>
<br>
There is no single point of failure in this scenario. The
only thing that matters is that you have your CA's public
cert in your truststore and /etc/grid-security. You don't
need to communicate to the CA at all, you just need them to
sign an provide you their cert. Done.<br>
<br>
Essentially we would be establishing membership (those that
can be authenticated thus trusted to talk to) in a peer2peer
mesh network by the CA that vouches for that network. There
should only be one per mesh. In our case that "one" is ESGF
but there is no barrier to having a peer support one or many
CAs... well, except if you want your clients to use Safari
;-).<br>
<br>
Another note about the installer... the installer under
--install-keypair will take the keypair you give it and
convert and insert it into your keystore as well as
/etc/grid-security... It is the same cert in two formats.
Thus the entire node is represented by one DN that is used
for gridftp and tomcat. The idea there is to minimize the
amount of certs you have to manage. Don't confuse this with
the ability to recognize and validate against all the certs
you encounter by putting them in the truststore and
/etc/grid-security/certs.<br>
<br>
P.S.<br>
Pardon, yes I did mean Estani and everyone on the list,
etc... :-) and you.<br>
<br>
On 6/1/11 4:28 PM, Cinquini, Luca (3880) wrote: <o:p></o:p></p>
<p class="MsoNormal">Hi Gavin, <o:p></o:p></p>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>I
think you meant "Estani"...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Anyway, I like the idea of a single
ESGF CA. Can we make it happen ? Maybe at installation
time you can be given the option of generating your own
cert (so that we don't completely make ourselves depending
on a single point of failure), or have it signed by
another CA. What would be the best location for such a CA
- PCMDI or ANL perhaps ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">thanks, Luca<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Gavin M. Bell<o:p></o:p></pre>
<pre>Lawrence Livermore National Labs<o:p></o:p></pre>
<pre>--<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> "Never mistake a clear view for a short distance."<o:p></o:p></pre>
<pre> -Paul Saffo<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>(GPG Key - <a moz-do-not-send="true" href="http://rainbow.llnl.gov/dist/keys/gavin.asc">http://rainbow.llnl.gov/dist/keys/gavin.asc</a>)<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E<o:p></o:p></pre>
</div>
<br>
<p>-- <br>
Scanned by iCritical. </p>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Gavin M. Bell
Lawrence Livermore National Labs
--
"Never mistake a clear view for a short distance."
-Paul Saffo
(GPG Key - <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://rainbow.llnl.gov/dist/keys/gavin.asc">http://rainbow.llnl.gov/dist/keys/gavin.asc</a>)
A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Estanislao Gonzalez
Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
Phone: +49 (40) 46 00 94-126
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:gonzalez@dkrz.de">gonzalez@dkrz.de</a> </pre>
</body>
</html>