I agree with John. As chair of JSPG I will chase this issue again,
especially as Maria Dimou is saying she needs advice from JSPG.
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: [log in to unmask]
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Gordon, JC (John)
> Sent: 05 August 2008 11:37
> To: [log in to unmask]
> Subject: Re: Certifcate problem
>
> CERN did that earlier. That is why most people have both
> certificates listed.
>
> I don't think that is the right approach. CERN should not
> bother about the issuer DN. It is the user who is a member of
> the VO, not the CA. As long as you present a certificate with
> the right DN, signed by an approved CA VOMS should be happy.
> IGTF CAs agree not to trample on each others namespaces. If
> the UK decides to renew your certificate signed by a new CA
> that is no concern of the VO as long as both the old and new
> CAs are approved by the IGTF, in our case by the EUGridPMA.
>
> The option exists, we should persuaded them to use it.
>
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes
> > [mailto:[log in to unmask]] On Behalf Of Ewan MacMahon
> > Sent: 05 August 2008 11:18
> > To: [log in to unmask]
> > Subject: Re: Certifcate problem
> >
> > > -----Original Message-----
> > > From: Testbed Support for GridPP member institutes [mailto:TB-
> > >
> > > So, as users, what should we do now?
> > >
> > I'd have thought the best thing would be to get CERN to re-run the
> > automatic change process they used before to find anyone
> with only the
> > old CA DN and bulk add them all with the new one. That would fix it
> > once for everybody, and now we can (I think) be sure that
> no-one still
> > has a valid certificate signed by the old CA so no-one will
> be able to
> > create a new registration with an old certificate.
> >
> > Is there reason we can't do that?
> >
> > Ewan
> >
>
|