[Go-essp-tech] getting started document -- alternatives to java certificate generation

stephen.pascoe at stfc.ac.uk stephen.pascoe at stfc.ac.uk
Tue Feb 15 09:00:22 MST 2011 

Martin,

There is an emerging HTML5 standard for creating a key-value pair from a browser (google "keygen tag") however when I looked support for it was much too patchy amongst the different browsers.  In my view if we are ever to support credential generation within the browser that is the way to go.

Stephen.

---
Stephen Pascoe  +44 (0)1235 445980
Centre of Environmental Data Archival
STFC Rutherford Appleton Laboratory, Harwell Oxford, Didcot OX11 0QX, UK


-----Original Message-----
From: go-essp-tech-bounces at ucar.edu [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of martin.juckes at stfc.ac.uk
Sent: 15 February 2011 15:56
To: estanislao.gonzalez at zmaw.de; Kershaw, Philip (STFC,RAL,SSTD)
Cc: go-essp-tech at ucar.edu
Subject: Re: [Go-essp-tech] getting started document -- alternatives to java certificate generation

Hi Estani, Phil,

Is javascript a viable option for generating the key pair and subsequently signing a certificate? (e.g. http://www-cs-students.stanford.edu/~tjw/jsbn/ -- the demo is very slow for 1024 bit keys, but OK for 512 bit). This would at least allow the private key to be kept on the users computer,

Cheers,
Martin 

-----Original Message-----
From: go-essp-tech-bounces at ucar.edu [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Estanislao Gonzalez
Sent: 15 February 2011 15:43
To: go-essp-tech at ucar.edu
Subject: Re: [Go-essp-tech] getting started document

Hi Phil,

I've being thinking about this myself. There is no general solution 
though, if the user browses a remote gateway, there's no other way but 
to contact the home gateway to retrieve the certificate.

There's of course the case where the user gets the wget script at 
his/her home gateway (which it will indeed be the normal case). In this 
case I see no problem at all. It doesn't even make sense to start 
another tool to contact the myproxy which in turn access the same DB the 
gateway has access to. It is possible to create the certificate directly 
from the DB using java and a simple servlet can help the user download 
the certificate directly.

I don't see any problem with the private/public key though; the user is 
gathering a proxy (well, actually just a short-term one) certificate not 
a real one. But I might have misunderstood your point.

Thanks,
Estani



Am 15.02.2011 16:19, schrieb philip.kershaw at stfc.ac.uk:
> Hi Martin,
>
> A question to Phil and perhaps Stephen: if a user has logged in to a gateway to get a wget script, is there any reason the gateway can't give him a certificate as well? Probably not the best time to bring this up, but I don't see why users who have just logged on need to do so again through a java application which has issues with some browsers.
>
> The dry technical answer is that the MyProxy logon step is not just getting a certificate, it is generating a public/private key pair.  The private key should never leave your desktop machine, the public key is sent to the MyProxy server in the logon call so that it can incorporate it in a certificate and return it to you.  To do this all from the Gateway, the key pair would need to be generated on the Gateway side.  This breaks the principles of Public key cryptography: the private key should be generated by the actor that's going to use it - in this case the user and not the Gateway.
>
> Stepping back from this there are a whole range of issues you could discuss!  Depending on the agenda for the call later we could talk about some of these.
>
> Cheers,
> Phil
>
>
>
> From: go-essp-tech-bounces at ucar.edu<mailto:go-essp-tech-bounces at ucar.edu>  [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Karl Taylor
> Sent: 15 February 2011 08:07
> To: Pascoe, Stephen (STFC,RAL,SSTD)
> Cc: go-essp-tech at ucar.edu<mailto:go-essp-tech at ucar.edu>
> Subject: Re: [Go-essp-tech] getting started document
>
> Hi Stephen,
>
> Thanks to you and Phil for improving the getting started document. I've accepted all your changes and then made additional revisions, which I hope continue to improve it.  Now its your turn again.  Of course, it would be great if others might also take a look and comment.
>
> IMPORTANT:  could someone remind me of the phone number and password for the Tuesday telecon?
>
> thanks,
> Karl
>
> On 2/14/11 6:33 AM, stephen.pascoe at stfc.ac.uk<mailto:stephen.pascoe at stfc.ac.uk>  wrote:
> Hi Karl,
>
> I've substantially edited the first few sections of the getting started document and incorporated some earlier edits from Phil.  I don't think we are there yet but I hope I've improved how we explain Gateways and OpenID in steps 1-3.  I will review the download part as soon as I can as: I want to minimise the complexity of explaining the MyProxy service but this will depend on how automatic we can make the wget script.
>
> Thanks,
> Stephen.
>
> ---
> Stephen Pascoe  +44 (0)1235 445980
> Centre of Environmental Data Archival
> STFC Rutherford Appleton Laboratory, Harwell Oxford, Didcot OX11 0QX, UK
>
> From:go-essp-tech-bounces at ucar.edu<mailto:go-essp-tech-bounces at ucar.edu>  [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Karl Taylor
> Sent: 01 February 2011 16:50
> To: go-essp-tech at ucar.edu<mailto:go-essp-tech at ucar.edu>
> Subject: [Go-essp-tech] getting started document
>
> Dear all,
>
> I've attached a (rather long) "getting started" document to help new users obtain CMIP5 model output.  The procedure works at least for the old token system.  Could someone read over it and edit it where needed so that it is correct for the new non-token system?  Any suggestions on simplifying it would also be helpful.
>
> thanks,
> Karl
>
> On 1/31/11 5:45 AM, Williams, Dean N. wrote:
> Dear Colleagues,
>
>      We are scheduled to have our regularly scheduled GO-ESSP meeting to discuss the release of our ESG Federated system, which should go live this week (tomorrow)...  Please plan on attending the meeting.... :-)
>
>     (925) 424-8105 access code 305757#
>
> Thanks and best regards,
>      Dean
>
>
> --
> Scanned by iCritical.
>


-- 
Estanislao Gonzalez

Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany

Phone:   +49 (40) 46 00 94-126
E-Mail:  estanislao.gonzalez at zmaw.de

_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
-- 
Scanned by iCritical.
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
-- 
Scanned by iCritical.

More information about the GO-ESSP-TECH mailing list