It has been confirmed that SAM tests have updated the CA certificates by
2008-05-19 11:57. Sites still failed SAM tests after upgraded? OSCT-DC will
follow the standard procedure to verify the release of new CA distribution.
Cheers,
Mingchao
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Jensen, J (Jens)
> Sent: Monday, May 19, 2008 6:20 PM
> To: [log in to unmask]
> Subject: Re: New LCG CA release 1.21: breaks site
>
> Yves Coppens wrote:
> > The problem with this is that all jobs submitted from non
> updated UI
> > will fail. Bristol sarted failing SAM tests...
> >
> > What is the depth of the CA verification chain of various grid
> > services?
> > I would have naively thought that if the CA root were
> compromised and
> > a new root CA issued, then the whole CA verification chain would
> > fail?
>
> Hmm, perhaps SAM and sites need to be updated in step too,
> although I wouldn't have thought so (I know of the Mozilla
> NSS bug which requires in-step update), and I would have
> thought the test would have caught it should it be required.
> The IGTF release went out sooner than I had expected (I ran
> _my_ tests on Saturday, but the IGTF release went out
> Friday), but I was told it successfully passed the PPS test
> (or whatever it's called). I know of one problem (since
> fixed) it should have caught but didn't.
>
> Incidentally, the key was flagged as vulnerable, not (AFAIK)
> compromised.
>
> Sadly, breakage is considered a feature. What should happen
> is that SAM upgrades, and flag sites that haven't as failing
> the CA test (but ideally no other test).
>
> However, it is apparently considered "acceptable" if other
> things break by *not* upgrading because the theory is then
> that sites are "encouraged" to upgrade. Of course you should
> not break things by upgrading. Perhaps we need to review the
> procedures with OSCT.
>
> If SAM has not upgraded, there is an additional question why
> not. I notice the release was flagged urgent.
>
> My apologies if upgrading the IGTF release causes you to fail
> SAM tests, it definitely shouldn't. I will follow up and try
> to figure out why.
> Perhaps Mingchao can follow up with OSCT?
>
> --jens
>
|