Ian, CNRS acts as a "catch-all" CA and therefore signs certs for many different namespaces. I think GSI ignores anything to do with CA hierarchies so I imagine the signing policy of one CA is never checked against another even if it is higher up some hierarchy (not 100% sure of that statement). The best evidence I think is lack of anyone else reporting problems... so I suspect it's a configuration issue. .... Or a CRL out of date? If are you still having problems I can forward to the CA list, but could do with a few more details. Dave ------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK e-mail: [log in to unmask] Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------ > -----Original Message----- > From: Testbed Support for GridPP member institutes > [mailto:[log in to unmask]] On Behalf Of Ian Stokes-Rees > Sent: 07 May 2004 13:25 > To: [log in to unmask] > Subject: Funny CNRS certificate signing policies? > > > Hi, > > I'm trying to debug a globus certificate problem, and I came > across something I don't understand in the CNRS certificates. > These were installed from RPMs, but I can't say I remember > *which* RPMs. I understand that CNRS has the role of signing > certs from random places. What I'm wondering is if > Globus/openssl require that all sub-CA signing policies be > more restrictive than their parent. Thinking about it, this > wouldn't make sense to me, but I am grasping at straws for > what may be the cause of my problem. > > Here is how the CNRS certs seem to be setup: > > 1. CNRS CA: Can only sign itself and CNRS/Projets > Signed by itself > > 2. CNRS/Projets CA: Can only sign itself and CNRS/Datagrid-fr > Signed by CNRS CA > > 3. CNRS/Datagrid-fr CA: Can sign anything > Signed by CNRS/Projets > > Besides the fact that I don't understand why CNRS/Projets (french > spelling) can sign itself, and the fact that it seems > possibly a little risky to let CNRS sign /*, this seems like > a very reasonable arrangement. However, I am failing to > authenticate using a CNRS cert, but my UK e-Science cert > works fine (so it definitely seems like the problem is either > with my CNRS cert or with the installation of the CNRS CA > certs on the remote site). > > Below is the error message I get: > > > > [lxgate03] ~ > gsissh -p 2222 -2 -i ~/.globus/userkey.pem > grid-compute.oesc.ox.ac.uk GSSAPI Error: GSS Major Status: > Authentication Failed > > GSS Minor Status Error Chain: > > an unknown error occurred > Disconnecting: Protocol error: didn't expect packet type 34 > > > > Ha. At this very instant it works. I do not know if the > site has fixed their policies or if I have managed to change > something locally. Anyway, if anyone else has seen this > problem and knows what causes it, I had the same problem a > few weeks ago and it also seemed to "mysteriously" disappear. > > Cheers, > > Ian. > -- > Ian Stokes-Rees [log in to unmask] > Particle Physics, Oxford > http://www-pnp.physics.ox.ac.uk/~stokes >