Just catching up with email. The official toplevel for the IGTF is
http://www.igtf.net/
For the distribution it redirects to dist.eugridpma.info which uses a
Cybertrust certificate (we've thought about those things). This is the
global distro, it just happens to be hosted by EUGridPMA.
Stephen is right, the TACAR repository is also strongly recommended, but
note there are accredited CAs not in TACAR, and CAs in TACAR which are
not accredited. All accredited CAs are meant to be in it: TACAR is
meant to provide a trusted repository independent of the IGTF.
Membership is a very manual process involving PGP key exchange with a
trusted introducer and the exchange of signed letters and stuff, but at
least now we have more than one in the world. UK e-Science CA has been
a member since April 2004. TACAR has other nice features like the
browser bulk download.
Other workarounds for the browser warnings have been considered by PMAs.
This is a very long story.
Cheers
--jens
John Gordon wrote:
> I found this http://www.eugridpma.org/ which looks a bit more oficial.
>
> John
>
> ________________________________
>
> From: Testbed Support for GridPP member institutes on behalf of Stephen Burke
> Sent: Mon 10/5/2009 9:57 PM
> To: [log in to unmask]
> Subject: Re: email encryption
>
>
>
> Testbed Support for GridPP member institutes
>> [mailto:[log in to unmask]] On Behalf Of Henry Nebrensky said:
>> Is there a list of where to find these somewhere (... and how would I
>> trust it?)?
>
> There is a list, here:
>
> https://www.tacar.org/repos/
>
> As to how you know to trust it ... well, for a start that site has a certificate
> signed by a "real" CA, and you can read the documentation on the site about how it
> works. And the host name is "well-known", at least to those people that know it :)
> Alternatively you have the CA RPM that every site installs, and presumably trusts
> ...
>
>> It's a bit embarrassing when dragging new users on to Grid to
>> have to give
>> them the 'treat your certificate with the utmost care' bit, only to
>> promptly have to tell them to ignore the security warnings from the
>> GGUS/CIC/SAM sites... :(
>
> Indeed - people shouldn't be trained to ignore the warnings, especially since they
> might then do the same for e.g. web sites masquerading as bank or credit card
> sites. If you have to do that it's better to make a decision once that you trust
> it and install the certificate, than ignore the warning every time.
>
> Stephen
>
>
|