On 01/02/12 13:48, Jens Jensen wrote:
> Hi Sam,
>
> I'm cc'ing this to tb-support in case others are interested.
With my "Wider VO services" hat on, if GridPP sites installed this CA,
it would presumably make it easier to get users onto the grid.
>
> The SARoNGS RPM is available here:
> http://cert.ca.ngs.ac.uk/ukescience-1-1
For those who don't know what this is, it's a way of getting a grid
certificate from institutional credentials (QMUL calls it idcheck, but I
think it is shibboleth underneath). There was a talk this morning on it.
http://nationalgridservice.blogspot.com/2012/01/interested-in-accessing-and-managing.html
>
> It is not officially out yet - and will change - because it needs to
> be signed with the GPG key (as advertised) and I haven't signed it
> until I have located the missing Earth Science CA. Main news is that
> we have decoupled the "SLCSTopLevel" CA which signs CAs that
> sign short-lived credentials, so it is now a standalone CA, so it
> is independent of the IGTF release. I guess John mentioned that this morning?
Yes he did, but the URL probably wasn't mentioned.
This seems like big progress.
>
> It also hasn't been tested quite as carefully as we'd like... so treat
> it with some caution. But the main advantage is that it installs entirely
> in parallel with IGTF - which is tantamount to saying we have given up trying
> to get SARoNGS into IGTF for now - but at least people can install it without
> any known risk to their existing CA certificate setup.
>
> Feedback & comments welcome. And questions.
With my "Wider VO services hat on", this looks like it could make
getting small VOs up and running easier, so perhaps GridPP should
encourage sites to support it.
1) Is this desirable?
2) What (if any) policy questions need answering before this happens?
3) What technical challenges are there:
i) Do we need to worry about certificate revocation lists, or will
they just work?
ii) If this were used to grant login access, will a user's
certificate ever change (there's a danger that they would then
lose access to their data).
iii) Can these credentials be used to join any VO? Clearly if the VO
is supported at a site that doesn't support this CA, jobs will
fail. Should we as a matter of policy restrict this somehow so
that jobs don't fail?
iv) Presumably the WMS and VOMS servers need to support these
certificates. Anything else?
How this integrates with moonshot is also interesting.
Chris
>
> Cheers
> --jens
>
>
> ________________________________
> From: Sam Skipsey [[log in to unmask]]
> Sent: 01 February 2012 11:48
> To: Jensen, Jens (STFC,RAL,ESC)
> Subject: SARoNGS etc
>
> Hi Jens,
>
> I was at the SARoNGS/Shibboleth presentation and John Kewley mentioned the existence of a SARoNGS cert RPM that can be installed side-by-side with the IGTF trust anchors.
> I get the impression it isn't at public release yet, but I was wondering if we could get a hold of it...
>
> Sam
|