[Go-essp-tech] [esg-node-dev] Re: Question on P2P and signing of registry docs

Gavin M. Bell gavin at llnl.gov
Wed Jun 1 18:46:34 MDT 2011 

 Hi,

Dean and Rachana are on the case.
I am sure when they have something they'll let us know.

As it stands right now... the script generates the CSR that you can
submit to get signed.  If you already have a keypair you can use that
and call esg-node --install-keypair and it will do the right things.  So
who you use to sign your CSR is up to you... and as I mentioned if you
already have a keypair you can directly use it. :-).  Everyone is free
to do as they wish. :-)
[note: you have to have all the certs in the cert chain if your CA's
cert is in a chain]

There is no single point of failure in this scenario.  The only thing
that matters is that you have your CA's public cert in your truststore
and /etc/grid-security.  You don't need to communicate to the CA at all,
you just need them to sign an provide you their cert.  Done.

Essentially we would be establishing membership (those that can be
authenticated thus trusted to talk to) in a peer2peer mesh network by
the CA that vouches for that network.  There should only be one per
mesh.  In our case that "one" is ESGF but there is no barrier to having
a peer support one or many CAs... well, except if you want your clients
to use Safari ;-).

Another note about the installer... the installer under
--install-keypair will take the keypair you give it and convert and
insert it into your keystore as well as /etc/grid-security... It is the
same cert in two formats.  Thus the entire node is represented by one DN
that is used for gridftp and tomcat.  The idea there is to minimize the
amount of certs you have to manage.  Don't confuse this with the ability
to recognize and validate against all the certs you encounter by putting
them in the truststore and /etc/grid-security/certs.

P.S.
Pardon, yes I did mean Estani and everyone on the list, etc... :-) and you.

On 6/1/11 4:28 PM, Cinquini, Luca (3880) wrote:
> Hi Gavin,
> I think you meant "Estani"...
> Anyway, I like the idea of a single ESGF CA. Can we make it happen ?
> Maybe at installation time you can be given the option of generating
> your own cert (so that we don't completely make ourselves depending on
> a single point of failure), or have it signed by another CA. What
> would be the best location for such a CA - PCMDI or ANL perhaps ?
> thanks, Luca

-- 
Gavin M. Bell
Lawrence Livermore National Labs
--

 "Never mistake a clear view for a short distance."
       	       -Paul Saffo

(GPG Key - http://rainbow.llnl.gov/dist/keys/gavin.asc)

 A796 CE39 9C31 68A4 52A7  1F6B 66B7 B250 21D5 6D3E

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20110601/2a950d98/attachment.html

More information about the GO-ESSP-TECH mailing list