Alessandra Forti wrote on 23 June 2006 13:12:
> Hi Paul,
Hi Paul, Alessandra, *,
Sorry about delay; just picked up the thread now. Some background
- and foreground - information.
>
> changing the CN in a host certificate shouldn't interrupt the service in
> itself. However to do this you can't renew the certificate you will
> have to ask for a new one and at this point I don't know if you have to
> invalidate the old one leaving a time gap between the old one being
> invalidated and the new one being issued.
1. The client MUST check the host's network identity - which is really
the only purpose of the host certificate - host authentication.
2. Proper clients SHOULD test the subject alternative name extension,
which for all Grid CAs contains the fully qualified name of the
server in question (more precisely, _a_ fully qualified name of the
server; doesn't have to be canonical).
3. Some clients MAY check the CN in the certificate to validate the
host's identiy. This is pretty much unheard of now -- it's
considered deprecated for normal SSL/TLS stuff and everybody uses
the alternative name.
Except Globus brought it back in when they stuck the service name
into the CN.
There is really no value otherwise in having the FQDN or any other
meaningful name in the DN. Of a host.
4. Host certificates have client bits in them so they "know" how to
renew themselves.
5. Regardless of whether you request a new one or renew the
certificate, it is permitted (indeed encouraged) to have an overlap
between the old certificate and the new one. Which is why we warn
people 30 days in advance.
There is also a delay between the request and the certificate being
issued and installed - although it can be as less than an hour
(theoretically!), it is often a day or two. Recommended not to
leave it to the last minute.
When we roll over the root key this July, the issuing authority
(the part of the CA that does the actual signing) should have a
(slightly) faster signing turnaround thanks to a totally cunning
new hardware infrastructure.
More news at GridPP where for once I got a slot for the CA.
>
> It would be better to put a list e-mail rather than a personal one to
> avoid these problems in the future.
Yes. More precisely, use a personal address as a contact address for
the CA but leave a generic one in the request - one that will always
reach a responsible administrator for the host in question.
You are allowed to use a personal one (as long as it's your own) if
you think that is better.
I did ponder whether we could have "renewals" where the email address
part of the DN changes - it is technically possible but I decided
against it: someone who steals the credentials can then change the
address in the renewal and revoke the old one. Also it is technically
not really a renewal so we would have more explaining to do why other
sites should trust those renewed certificates.
Cheers,
--jens
PS. And for the interested and the nitpickers out there, it's really
a rekey and not renewal. So don't write in, OK.
>
> cheers
> alessandra
>
> Paul Trepka wrote:
>> Hi,
>>
>> Due to expiration of the currently deployed hosts certificate
>> which exactly begun with an CN, and in the further came with an different
>> CN, can it exactly interrupt the service ?
>>
>> However, can I set the 'emailAddress' as a multiple/list e-mail ?
>> or it have to be issued directly to the only one person ?
>>
>>
>> Thanks
>>
>> Cheers
>> Paul
>>
>>
>> On Thu, 22 Jun 2006, Olivier van der Aa wrote:
>>> Coles, J (Jeremy) wrote:
>>>> David
>>>>
>>>> Has this got anywhere yet? I mail to the list in case other people were
>>>> following it or have suggestions.
>>> I see that the STAR-UKILT2ICHEP channel is configured with 5 files in
>>> parallel while the RALLCG2-UKILT2ICHEP is configured with 9. I doubt
>>> this would make such a huge difference but I have configured that star
>>> with 9 parallel files.
>>>
>>> Cheers, Olivier.
>>>
>>>> Jeremy
>>>>
>>>>> -----Original Message-----
>>>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>>>> [log in to unmask]] On Behalf Of Dr D J Colling
>>>>> Sent: 19 June 2006 19:30
>>>>> To: [log in to unmask]
>>>>> Subject: Re: FTS transfers ...
>>>>>
>>>>> Hi Matt,
>>>>>
>>>>> {at 14.21 Matt wrote
>>>>>
>>>>> I made the switch for STAR-UKILT2ICHEP from urlcopy to srmcopy a few
>>>>> minutes ago.
>>>>> }
>>>>>
>>>>> Thanks for this. Unfortunately it seems to have made no difference.
>>>> We
>>>>> supposedly have 2 active transfers (not sure why it is 2 not 4 as it
>>>> was
>>>>> earlier) but nothing is flowing (really nothing). As can be seen at
>>>>>
>>>>> http://www.hep.ph.ic.ac.uk/~collngdj/phedex/phedex_17_06_06b.bmp
>>>>>
>>>>> Any advice?
>>>>>
>>>>> All the best,
>>>>> david
>>>
>>>
>>
>
> --
> *******************************************
> * Dr Alessandra Forti *
> * Technical Coordinator - NorthGrid Tier2 *
> * http://www.hep.man.ac.uk/u/aforti *
> *******************************************
>
|