Hi, I'm trying to debug a globus certificate problem, and I came across something I don't understand in the CNRS certificates. These were installed from RPMs, but I can't say I remember *which* RPMs. I understand that CNRS has the role of signing certs from random places. What I'm wondering is if Globus/openssl require that all sub-CA signing policies be more restrictive than their parent. Thinking about it, this wouldn't make sense to me, but I am grasping at straws for what may be the cause of my problem. Here is how the CNRS certs seem to be setup: 1. CNRS CA: Can only sign itself and CNRS/Projets Signed by itself 2. CNRS/Projets CA: Can only sign itself and CNRS/Datagrid-fr Signed by CNRS CA 3. CNRS/Datagrid-fr CA: Can sign anything Signed by CNRS/Projets Besides the fact that I don't understand why CNRS/Projets (french spelling) can sign itself, and the fact that it seems possibly a little risky to let CNRS sign /*, this seems like a very reasonable arrangement. However, I am failing to authenticate using a CNRS cert, but my UK e-Science cert works fine (so it definitely seems like the problem is either with my CNRS cert or with the installation of the CNRS CA certs on the remote site). Below is the error message I get: [lxgate03] ~ > gsissh -p 2222 -2 -i ~/.globus/userkey.pem grid-compute.oesc.ox.ac.uk GSSAPI Error: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: an unknown error occurred Disconnecting: Protocol error: didn't expect packet type 34 Ha. At this very instant it works. I do not know if the site has fixed their policies or if I have managed to change something locally. Anyway, if anyone else has seen this problem and knows what causes it, I had the same problem a few weeks ago and it also seemed to "mysteriously" disappear. Cheers, Ian. -- Ian Stokes-Rees [log in to unmask] Particle Physics, Oxford http://www-pnp.physics.ox.ac.uk/~stokes