[Go-essp-tech] Call for CA and OpenID Trust root Certificates
Bryan Lawrence
bryan.lawrence at stfc.ac.uk
Fri Sep 10 03:52:16 MDT 2010
Hi Folks
I've said the following to many of you, but not all, so maybe it needs
restating:
1) ESG - Earth System Grid (US project)
2) ESGF - International federation of folks delivering CMIP5 using
primarly ESG (but also Metafor & other ) software
3) esgf.org was established following the (in)famous gfdl meeting, but
there is a confusion between near term goals associated with 2) above,
and
4) medium term goals associated with maybe doing 2) better, easier,
faster or whatever, and
5) longer term goals.
At the moment we ought to be concentrating on 2).
Some of the material on esgf.org is focused on 4 and 5, and so that's
not helping on clarity of what we need to do now. If putting stuff on
esgf.org helps, then fine ... but make sure it's not accompanied by
material that muddies the water.
Thanks
Bryan
> Hi Stephen,
>
>
>
> I don't think you can put the problem entirely in the GO-ESSP Pis
> court: esgf.org contributes to the fragmentation because it makes no
> attempt to say what ESGF is ("ESGF is a non-profit organization
> formed by participates in the GO-ESSP collaboration to bring their
> knowledge and experience to bear on critical Earth System
> federations in the dissemination of climate data and related
> products" - from the PCMDI page) or link to associated web-sites.
> Esgf.org might be good as an idea, but as a web site it still has a
> lot of problems.
>
>
>
> It would be useful to have a clear set of requirements. I get the
> impression from Phil that https is more or less essential. The other
> requirement appears to be the people can put stuff there: can we get
> a bit clearer on these requirements?
>
>
>
> Cheers,
>
> Martin
>
>
>
>
>
> From: go-essp-tech-bounces at ucar.edu
> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of
> stephen.pascoe at stfc.ac.uk Sent: 10 September 2010 10:00
> To: asim at lbl.gov; gavin at llnl.gov
> Cc: Luca.Cinquini at jpl.nasa.gov; go-essp-tech at ucar.edu
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
> Certificates
>
>
>
> I know the sudden emergence of esgf.org must be disconcerting to some
> who weren't directly involved in it's inception; and I agree that
> governance is a piece of the puzzle we critically need to sort out.
> The balls in GO-ESSP PIs there.
>
>
>
> However, I just want to stress that the status quo is unsustainable
> and a huge barrier to adoption: information on the ESGF software is
> fragmented throughout a handful of institutional websites with very
> little organisation or cross-linking. I feel the only solution is
> to manage top-level information from an institution-neutral site,
> which esgf.org is.
>
>
>
> On the specific point of managing trustroots. I'm not sure why
> reading of the trustroots over HTTP would be a problem. Updating
> them obviously has to be controlled. Esgf.org has the technical
> infrastructure through it's git repository which I regularly write
> to using an ssh key pair. Governance could also be enforced by
> having separate update and master branches a master branches. I'm
> sure Gavin could put together a hook to automatically build the
> keystore.
>
>
>
> However, if ANL are working on an alternative that's great but I
> think it should be at least *linked* from esgf.org.
>
>
>
> Cheers,
>
> Stephen.
>
>
>
> ---
>
> Stephen Pascoe +44 (0)1235 445980
>
> British Atmospheric Data Centre
>
> Rutherford Appleton Laboratory
>
>
>
>
>
> ________________________________
>
> From: go-essp-tech-bounces at ucar.edu
> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Alex Sim Sent:
> 09 September 2010 19:11
> To: Gavin M. Bell
> Cc: Cinquini, Luca (3880); go-essp-tech at ucar.edu
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
> Certificates
>
> I somewhat agree with Rachana that hosting them on esgf.org is not a
> problem but we need some kind of governance on the info, before
> making them available on the web. This includes more of policy
> issues as well. One example is how a gateway is decided to be
> trusted and included in the trusted list, as anyone can download and
> install an ESG gateway/MyProxy server and generate a CA.
>
>
>
>
> -- Alex
>
>
> On 9/9/10 10:51 AM, Gavin M. Bell wrote:
>
> Hi Rachana,
>
> If we are looking for a place to house this information then, I agree
> with Luca, that esgf.org is available and probably the most amenable
> site for doing so. At the moment the issue is that Neill would like
> the information hosted behind an https site 'somewhere', under that
> requirement - esgf.org is as good a place as any, IMHO. Also, we
> can host that information from another server here at LLNL, I am
> thinking the distribution machine here. In the context of esgf, one
> scenario is that, we treat the key storage, management and
> information (web page) in the same way we treat the projects hosted
> there. This makes it easy to maintain, etc..
>
> Neill, no worries, we can find a place for you (your stuff... our
> certs). I guess what would be good to know is, how 'on fire' is
> this request? I can make the spare cycles to make this happen for
> you, but manage my expectations so I can give this the priority is
> requires. Is there a due date you have in mind?
>
>
> On 9/9/10 7:14 AM, Rachana Ananthakrishnan wrote:
>
> Hi Luca,
>
> This is the second time this has been referenced on this mailing list
> - but there has not been any information on how this is governed, or
> how to get access to the site? The site itself doesn't provide much
> information on the intended purpose either. I am fine hosting it
> there, provided we agree on some process for maintaining these, and
> understand ownership when things are moved there.
>
> Thanks,
> Rachana
>
> On Sep 9, 2010, at 9:07 AM, Cinquini, Luca (3880) wrote:
>
>
> Hi Neill,
> may I suggest again that this information be placed somewhere in
> esgf.org ?
> Thxs, luca
>
>
>
>
> On Sep 9, 2010, at 8:01 AM, "neillm at mcs.anl.gov"
> <mailto:neillm at mcs.anl.gov> <neillm at mcs.anl.gov>
> <mailto:neillm at mcs.anl.gov> wrote:
>
>
> Hello Estani,
>
> I somehow missed your latest, my apologies. I'll have those
> integrated as well as Stephen's shortly.
>
> We are working on have a central place to store these, but it's
not
> resolved yet.
>
> The requirement is that it be HTTPS accessible. If someone has
> access to something like that, I'm all for moving the page
there.
> The document needs to be updated with each certificate that
changes
> and also the truststore needs to be regenerated, so I don't
think
> public FTP is the best option.
>
> I do agree that a UofC Wiki is not the ideal final resting place
> for this information though.
>
> -Neill.
>
> ----- Original Message -----
> From: "Estanislao Gonzalez" <estanislao.gonzalez at zmaw.de>
> <mailto:estanislao.gonzalez at zmaw.de> To: "stephen pascoe"
> <stephen.pascoe at stfc.ac.uk> <mailto:stephen.pascoe at stfc.ac.uk> Cc:
> neillm at mcs.anl.gov, go-essp-tech at ucar.edu, "philip kershaw"
> <philip.kershaw at stfc.ac.uk Sent: Thursday, September 9, 2010 8:35:27
> AM GMT -06:00 US/Canada Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
> Certificates
>
> Hi all,
>
> I see the trusted certificates are quiet old. I've already
changed
> them
> as requested so that the naming scheme would be more ESG-
conform,
> but the certificates are still the older ones.
>
> Would it be possible to upload the certificates somewhere? maybe
a
> pub ftp?
> That way we could just upload the certificates if the were
changed.
> We
> could later on delete the ones we don't require.
>
>
> Thanks,
> Estani
>
> stephen.pascoe at stfc.ac.uk wrote:
>
> Hi Neil,
>
> Updating our trustroots using your wiki page below I notice
that
> the esg-truststore.ks file is missing 2 of our certificates that are
> in the
> tarball esg_trusted_certificates-08-24-2010.tar.gz. These
are
> cf22df3a.0 and ece35fd4.0
>
> I can guess how this happened. Phil provided PEM files
containing
> both
> the certificate text and BEGIN CERTIFICATE sections. I've
noticed
> keytool fails unless PEM files only contain the BEGIN
CERTIFICATE
> block.
>
> Those using esg-truststore.ks need to import the certificates
into
> the
> keystore in order for it to work with BADC. One possible
recipe
> is:
>
> $ sed -n '/BEGIN CERT/,/END CERT/ p'
esg_trusted_certificates/
> cf22df3a.0
>
>
> cf22df3a_bare.0
>
>
> $ keytool -import -keystore esg-truststore.ts -alias
cf22df3a
> -file cf22df3a_bare.0
> $ sed -n '/BEGIN CERT/,/END CERT/ p'
esg_trusted_certificates/
> ece35fd4.0
>
>
> ece35fd4_bare.0
>
>
> $ keytool -import -keystore esg-truststore.ts -alias
ece35fd4
> -file ece35fd4_bare.0
>
> I hope this can be reflected in esg-truststore.ks soon.
>
> Cheers,
> Stephen.
>
> ---
> Stephen Pascoe +44 (0)1235 445980
> British Atmospheric Data Centre
> Rutherford Appleton Laboratory
>
> -----Original Message-----
> From: go-essp-tech-bounces at ucar.edu
> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of
> neillm at mcs.anl.gov Sent: 17 August 2010 22:42
> To: go-essp-tech at ucar.edu
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust
root
> Certificates
>
> Hello,
>
> According to the document here:
>
>
http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederatio
> nTrustRo ots
>
> PCMDI, NCAR and ORNL still need to update their DNs to
something
> more
> official. This is a CMIP5 blocker as far as I know.
>
> -Neill.
>
> ----- Original Message -----
> From: "Neill Miller" <neillm at mcs.anl.gov>
> <mailto:neillm at mcs.anl.gov> To: go-essp-tech at ucar.edu
> Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00
US/Canada
> Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust
root
> Certificates
>
> Hello,
>
> Has anyone made any progress on generating new CA
certificates
> without
> default simpleCA DNs? Someone has already sent me new
> certificates for
> their site, so aside from that of course. Please let me
know, or
> send
> me updated certs and I'll get them online as soon as I can.
>
> thanks,
> -Neill.
>
> ----- Original Message -----
> From: "Neill Miller" <neillm at mcs.anl.gov>
> <mailto:neillm at mcs.anl.gov> To: asim at lbl.gov
> Cc: go-essp-tech at ucar.edu
> Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00
US/Canada
> Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust
root
> Certificates
>
> Hello Alex,
>
> It's a good thing to bring up actually. Each gateway that
runs a
> CA gets to more or less specify their DN to be anything they want.
> Going
> forward, it's important to name them something more
appropriate.
> I agree that it doesn't look good to have GlobusTest in the DN as
> well (as
> we've discussed this before), so there are at least 2
options to
> consider here:
>
> 1) Allow everyone to get their gateway working as it is now
(since
> it's
> not a functional thing, but a perception/cosmetic issue), or
> 2) Request that everyone start over with their CAs in order
to fix
> the
> DN*.
>
> Maybe Gavin (actually, Eric if I'm following correctly)
could
> describe
> how this step is done and whether or not it's automated
away? If
> it's
> automated and hidden from the user in the script, it's
likely even
> starting over won't change anything for most people.
>
> *This is something that can be done without replacing the
entire
> gateway
> stack. As a matter of fact, it's just a couple commands and
then
> tracking the proper certificates from there. If this second
> option is
> chosen, I can document what each Gateway needs to do in
order to
> remedy
> the situation.
>
> But I'd still like to know how this is done at the Gateway
install
> time
> so that any NEW gateway installs won't have to do anything
special
> and
> will have more valid looking (default) DNs.
>
> Sound reasonable?
>
> -Neill.
>
> ----- Original Message -----
> From: "Alex Sim" <asim at lbl.gov> <mailto:asim at lbl.gov>
> To: neillm at mcs.anl.gov
> Cc: go-essp-tech at ucar.edu
> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00
US/Canada
> Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust
root
> Certificates
>
> I hate to bring this up again, but the DN format has to work
out
> without GlobusTest in it.
>
> -- Alex
>
>
> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>
>
> Hello,
>
> Thanks to everyone that has submitted their certificate
> information!
>
>
> At the moment, I have a list of MyProxy and OpenID trusted
> certificates
> listed here:
>
>
>
http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederati
> onTrust Roots
>
> While this page is obviously not complete, please verify
that the
>
>
> certificates that you've sent appear in the listings. I'd
like to
> know
> roughly how many more I should be expecting before moving on
to
> fill in
> the other details as well, so if you know you haven't sent
yours
> in yet,
> please let me know (off-list is fine).
>
>
> thanks,
> -Neill.
>
> ----- Original Message -----
> From: neillm at mcs.anl.gov
> To: go-essp-tech at ucar.edu
> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00
US/Canada
> Central
> Subject: [Go-essp-tech] Call for CA and OpenID Trust
root
> Certificates
>
> Hello,
>
> As discussed on the call just now, I need all OpenID
trust root
>
>
> certificates in addition to the hostname of the machine.
>
>
> For anyone that has already submitted theirs (i.e. Luca,
Phil),
> if
>
>
> there are helpful commands that you can share with others,
please
> do so
> in follow-up to this.
>
>
> A helpful page that shows commands for working with your
java
>
>
> key/trust store is here:
>
>
> http://*www.*sslshopper.com/article-most-common-java-
keytool-keys
> tore-co mmands.html
>
> I also need everyone managing a MyProxy CA to send me
their CA
>
>
> certificates. If you're running a MyProxy CA, there are 2
simple
> ways
> to find out which certs are needed (please pick one, not
both):
>
>
> 1) Login to the MyProxy CA host and run "ls -al
~/.globus/
> simpleCA/"
>
>
> as the user that runs the CA.
>
>
> In this listing, you'll see a file called
>
>
> "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX
is a
> hash
> of the CA certificate. Please send the files
> /etc/grid-security/certificates/XXXXXXXX.0 and
> /etc/grid-security/certificates/XXXXXXXX.signing_policy as
well as
> the
> hostname of the CA machine.
>
>
> 2) Another method of finding which cert to send is to run
the
>
>
> "grid-default-ca" program:
>
>
>
-----------------------------------------------------------------
> --- $GLOBUS_LOCATION/bin/grid-default-ca
>
> The available CA configurations installed on this host
are:
>
> Directory: /etc/grid-security/certificates
>
> 1) 0ba75d15 -
> /O=Grid/OU=GlobusTest2/OU=simpleCA-
vm-125-66.ci.uchicago.edu/
> CN=Globus
>
>
> Simple CA
> 2) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate
> Authorities/CN=DOEGrids CA 1
> 3) 3de8c5e9 -
> /O=Grid/OU=GlobusTest/OU=simpleCA-
vm-125-67.ci.uchicago.edu/
> CN=Globus
> Simple CA
> 4) 519bfbae -
> /O=Grid/OU=GlobusTest/OU=simpleCA-
vm-125-66.ci.uchicago.edu/
> CN=Globus
> Simple CA
> 5) 6349a761 - /O=DOE Science Grid/OU=Certificate
> Authorities/CN=Certificate Manager
> 6) 9388e5cb -
> /O=Grid/OU=GlobusTest/OU=simpleCA-
pcmdi3.llnl.gov/CN=Globus
> Simple CA
> 7) 9d8753eb - /DC=net/DC=es/OU=Certificate
Authorities/OU=DOE
> Science
>
>
> Grid/CN=pki1
> 8) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate
> Authorities/CN=ESnet Root CA 1
> 9) ecdb249f -
> /O=Grid/OU=GlobusTest/OU=simpleCA-
esgdev.ci.uchicago.edu/CN=Globu
> s Simple CA
>
>
> The default CA is:
>
>
> /O=Grid/OU=GlobusTest2/OU=simpleCA-
vm-125-66.ci.uchicago.edu/
> CN=Globus
> Simple CA
>
>
> Location: /etc/grid-
security/certificates/0ba75d15.0
>
> Enter the index number of the CA to set as the default
[q to
> quit]
> --------------------------------------------------------------------
>
> To avoid changing anything, press "q" to quit.
>
> Near the bottom, we are told which CA is currently our
default.
>
>
> Please send the file located at the listed "Location" in
addition
> to the
> XXXXXXXX.signing_policy file located in the same directory.
> Please also
> send the DN listed with that file and the hostname of the CA
> machine.
>
>
> IMPORTANT: For the MyProxy CA certificates, I need both
the ".0"
> AND
>
>
> the ".signing_policy" files together. Please also send the
> machine's
> hostname.
>
>
> -Neill.
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
>
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
>
> --
> Estanislao Gonzalez
>
> Max-Planck-Institut für Meteorologie (MPI-M)
> Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing
> Centre Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>
> Phone: +49 (40) 46 00 94-126
> E-Mail: estanislao.gonzalez at zmaw.de
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
> Rachana Ananthakrishnan
> Argonne National Lab | University of Chicago
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
Bryan Lawrence
Director of Environmental Archival and Associated Research
(NCAS/British Atmospheric Data Centre and NCEO/NERC NEODC)
STFC, Rutherford Appleton Laboratory
Phone +44 1235 445012; Fax ... 5848;
Web: home.badc.rl.ac.uk/lawrence
More information about the GO-ESSP-TECH
mailing list