[Go-essp-tech] getting started document -- alternatives to java certificate generation

philip.kershaw at stfc.ac.uk philip.kershaw at stfc.ac.uk
Wed Feb 16 02:03:41 MST 2011 

There are some good things to discuss further on this thread but I think
they are beyond the scope of what we can achieve for the immediate
release.  Can we pick this up at a later time?  Thoughts anyone?

Cheers,
Phil

On 15/02/2011 16:00, "Pascoe, Stephen (STFC,RAL,SSTD)"
<stephen.pascoe at stfc.ac.uk> wrote:

>Martin,
>
>There is an emerging HTML5 standard for creating a key-value pair from a
>browser (google "keygen tag") however when I looked support for it was
>much too patchy amongst the different browsers.  In my view if we are
>ever to support credential generation within the browser that is the way
>to go.
>
>Stephen.
>
>---
>Stephen Pascoe  +44 (0)1235 445980
>Centre of Environmental Data Archival
>STFC Rutherford Appleton Laboratory, Harwell Oxford, Didcot OX11 0QX, UK
>
>
>-----Original Message-----
>From: go-essp-tech-bounces at ucar.edu
>[mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of
>martin.juckes at stfc.ac.uk
>Sent: 15 February 2011 15:56
>To: estanislao.gonzalez at zmaw.de; Kershaw, Philip (STFC,RAL,SSTD)
>Cc: go-essp-tech at ucar.edu
>Subject: Re: [Go-essp-tech] getting started document -- alternatives to
>java certificate generation
>
>Hi Estani, Phil,
>
>Is javascript a viable option for generating the key pair and
>subsequently signing a certificate? (e.g.
>http://www-cs-students.stanford.edu/~tjw/jsbn/ -- the demo is very slow
>for 1024 bit keys, but OK for 512 bit). This would at least allow the
>private key to be kept on the users computer,
>
>Cheers,
>Martin 
>
>-----Original Message-----
>From: go-essp-tech-bounces at ucar.edu
>[mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Estanislao Gonzalez
>Sent: 15 February 2011 15:43
>To: go-essp-tech at ucar.edu
>Subject: Re: [Go-essp-tech] getting started document
>
>Hi Phil,
>
>I've being thinking about this myself. There is no general solution
>though, if the user browses a remote gateway, there's no other way but
>to contact the home gateway to retrieve the certificate.
>
>There's of course the case where the user gets the wget script at
>his/her home gateway (which it will indeed be the normal case). In this
>case I see no problem at all. It doesn't even make sense to start
>another tool to contact the myproxy which in turn access the same DB the
>gateway has access to. It is possible to create the certificate directly
>from the DB using java and a simple servlet can help the user download
>the certificate directly.
>
>I don't see any problem with the private/public key though; the user is
>gathering a proxy (well, actually just a short-term one) certificate not
>a real one. But I might have misunderstood your point.
>
>Thanks,
>Estani
>
>
>
>Am 15.02.2011 16:19, schrieb philip.kershaw at stfc.ac.uk:
>> Hi Martin,
>>
>> A question to Phil and perhaps Stephen: if a user has logged in to a
>>gateway to get a wget script, is there any reason the gateway can't give
>>him a certificate as well? Probably not the best time to bring this up,
>>but I don't see why users who have just logged on need to do so again
>>through a java application which has issues with some browsers.
>>
>> The dry technical answer is that the MyProxy logon step is not just
>>getting a certificate, it is generating a public/private key pair.  The
>>private key should never leave your desktop machine, the public key is
>>sent to the MyProxy server in the logon call so that it can incorporate
>>it in a certificate and return it to you.  To do this all from the
>>Gateway, the key pair would need to be generated on the Gateway side.
>>This breaks the principles of Public key cryptography: the private key
>>should be generated by the actor that's going to use it - in this case
>>the user and not the Gateway.
>>
>> Stepping back from this there are a whole range of issues you could
>>discuss!  Depending on the agenda for the call later we could talk about
>>some of these.
>>
>> Cheers,
>> Phil
>>
>>
>>
>> From: 
>>go-essp-tech-bounces at ucar.edu<mailto:go-essp-tech-bounces at ucar.edu>
>>[mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Karl Taylor
>> Sent: 15 February 2011 08:07
>> To: Pascoe, Stephen (STFC,RAL,SSTD)
>> Cc: go-essp-tech at ucar.edu<mailto:go-essp-tech at ucar.edu>
>> Subject: Re: [Go-essp-tech] getting started document
>>
>> Hi Stephen,
>>
>> Thanks to you and Phil for improving the getting started document. I've
>>accepted all your changes and then made additional revisions, which I
>>hope continue to improve it.  Now its your turn again.  Of course, it
>>would be great if others might also take a look and comment.
>>
>> IMPORTANT:  could someone remind me of the phone number and password
>>for the Tuesday telecon?
>>
>> thanks,
>> Karl
>>
>> On 2/14/11 6:33 AM,
>>stephen.pascoe at stfc.ac.uk<mailto:stephen.pascoe at stfc.ac.uk>  wrote:
>> Hi Karl,
>>
>> I've substantially edited the first few sections of the getting started
>>document and incorporated some earlier edits from Phil.  I don't think
>>we are there yet but I hope I've improved how we explain Gateways and
>>OpenID in steps 1-3.  I will review the download part as soon as I can
>>as: I want to minimise the complexity of explaining the MyProxy service
>>but this will depend on how automatic we can make the wget script.
>>
>> Thanks,
>> Stephen.
>>
>> ---
>> Stephen Pascoe  +44 (0)1235 445980
>> Centre of Environmental Data Archival
>> STFC Rutherford Appleton Laboratory, Harwell Oxford, Didcot OX11 0QX, UK
>>
>> 
>>From:go-essp-tech-bounces at ucar.edu<mailto:go-essp-tech-bounces at ucar.edu>
>> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Karl Taylor
>> Sent: 01 February 2011 16:50
>> To: go-essp-tech at ucar.edu<mailto:go-essp-tech at ucar.edu>
>> Subject: [Go-essp-tech] getting started document
>>
>> Dear all,
>>
>> I've attached a (rather long) "getting started" document to help new
>>users obtain CMIP5 model output.  The procedure works at least for the
>>old token system.  Could someone read over it and edit it where needed
>>so that it is correct for the new non-token system?  Any suggestions on
>>simplifying it would also be helpful.
>>
>> thanks,
>> Karl
>>
>> On 1/31/11 5:45 AM, Williams, Dean N. wrote:
>> Dear Colleagues,
>>
>>      We are scheduled to have our regularly scheduled GO-ESSP meeting
>>to discuss the release of our ESG Federated system, which should go live
>>this week (tomorrow)...  Please plan on attending the meeting.... :-)
>>
>>     (925) 424-8105 access code 305757#
>>
>> Thanks and best regards,
>>      Dean
>>
>>
>> --
>> Scanned by iCritical.
>>
>
>
>-- 
>Estanislao Gonzalez
>
>Max-Planck-Institut für Meteorologie (MPI-M)
>Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
>Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>
>Phone:   +49 (40) 46 00 94-126
>E-Mail:  estanislao.gonzalez at zmaw.de
>
>_______________________________________________
>GO-ESSP-TECH mailing list
>GO-ESSP-TECH at ucar.edu
>http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>-- 
>Scanned by iCritical.
>_______________________________________________
>GO-ESSP-TECH mailing list
>GO-ESSP-TECH at ucar.edu
>http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

-- 
Scanned by iCritical.

More information about the GO-ESSP-TECH mailing list