Do we know of any software which is sensitive to the VOMS certificate?
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Jensen, J (Jens)
> Sent: 24 July 2008 09:03
> To: [log in to unmask]
> Subject: Re: Finalising UK CA rollover
>
> Just to follow up from this!
>
> It turns out Sergey is using a certificate which is different
> from the one I had re-signed. His certificate is number
> 0x4026 and it is not affected by finalising the rollover.
>
> The certificate I had reissued was to a slightly different name:
> host/voms.gridpp.ac.uk, the one that Sergey is using is
> voms.gridpp.ac.uk, hence the confusion.
>
> So there is nothing wrong with the current VOMS certificate (0x4026).
>
> Many apologies for the confusion.
>
> --jens
>
> Jensen, J (Jens) wrote:
> > Ah, so you expect them to still depend on the certificate itself
> > rather than the DN. Good point, that will need updating.
> >
> > For everyone out there, the VOMS certificate is available here:
> > http://ca.grid-support.ac.uk/pub/rollover/certs/5530.pem
> >
> > I am fairly confident that the whole scheme will work and
> also that it
> > will be worth the effort, although given past experience
> some things
> > will break, as they somehow always do, despite all the efforts to
> > prevent breakage. There has been a lot of testing behind this.
> >
> > Thanks for pointing it out - can people who depend on the
> VOMS server
> > certificate please ensure they have the above certificate installed?
> >
> > Thanks
> > --jens
> >
> > Alessandra Forti wrote:
> >> Hi Jens,
> >>
> >> we received a certificate also for the VOMS server. I suspect that
> >> this might affect users using the GridPP VOMS, depending
> on how the
> >> UIs and various services used are configured. We'll have
> to test it...
> >>
> >> cheers
> >> alessandra
> >>
> >> Jensen, J (Jens) wrote:
> >>> Dear all,
> >>>
> >>> As some of you may have heard, we are finally getting
> round to close
> >>> down the old CA hierarchy (the one where an encrypted copy of the
> >>> root's private key mysteriously went walkabout).
> >>>
> >>> Most users have long been moved over, for the remaining ones we
> >>> decided to try out a new method: re-signing certificates
> under the new key pair.
> >>>
> >>> This method could make people's lives easier in the
> future because
> >>> we can to a larger extent automate the process, like a
> certificate
> >>> "subscription" - you simply get a new one when you need it. (RA
> >>> will still be involved but I want to disassociate the RA approval
> >>> step from the issuance step further.)
> >>>
> >>> My hidden agenda is to make the CA better able to scale
> to handling
> >>> the large numbers of requests it's handling. This will
> have to be
> >>> done in steps to avoid disrupting normal services.
> >>>
> >>> For more information about the current process, please
> refer to the
> >>> following page:
> >>> http://www.grid-support.ac.uk/content/view/399/1/
> >>>
> >>> The users who have been "volunteered" for the trial have already
> >>> been contacted (apart from some for whom the signing failed, they
> >>> should receive theirs later today.) If you haven't been
> >>> "volunteered", you don't need to do anything, the old
> certificates
> >>> will automatically drop out of the distribution at the
> next release.
> >>>
> >>> The only gotcha is a bug in IE which I have one report
> about so far.
> >>> For users with personal certificates in IE, they may have
> to do an
> >>> old fashioned renewal. If I can replicate the bug, I will file a
> >>> bug report with MS.
> >>>
> >>> Cheers
> >>> --jens
> >>>
>
|