 |
 |
Vincenzo Ciaschini wrote: > Hi to everyone: > > Asterios Katsifodimos wrote: >> Hello Jan, >> >> On my UI_TAR(glite-UI-3.1.23-0): >> globus_proxy_utils-0.17 : 512 bits >> voms-proxy-* 1.8.3 : 512 bits >> >> On my super glite-UI (glite-UI-3.1.23-0): >> globus_proxy_utils-0.17 : 512 bits >> voms-proxy-* 1.8.8 : 1024 bits >> >> Any clue why this happens? >> My original question, however, is: does size matter? (in terms of bits of >> course!) > The default key size was changed in 1.8.8 on request of the GSVG group, > since a default key size of 512 bits was becoming way too weak for > practical use. See this bug: https://savannah.cern.ch/bugs/?37704 > for details. Note however that you must be a member of GSVG to get the > details. > > To be honest, I do not see as this might constitute a problem with > ganga, since the default libraries for the major languages are by > default capable of working with this key size. > > In case of a real necessity, you can force a key size of 512 bits by > adding the following option to the command line '--bits 512'. Note > however that using this is not advisable, and is strongly deprecated. > > Ciao, > Vincenzo Too add background information to this topic: In the past we've tried to figure out what the boundary conditions are and found out that 4096 bits keys are not well supported in all default libraries for the major languages, neither is 8192 keys or bigger. If I'm not mistaken we had an issue with them in the Java space, triggered by one or a few CAs that were using a 4k key length in the past. All other key lengths didn't introduce a problem. Although not explicitly tested by myself the 4k key length issues are solved. With that in mind, I don't think the root of the problem is the key length. Especially not with these sizes. You're allowed to mix and match certificates with various key lengths to one chain. There are lot of other things that can make a chain semantically invalid. The most common these days is mixing GT2 and RFC proxies in one chain. cheers, Oscar > > > >> >> thanks! >> On Tue, Nov 18, 2008 at 4:01 PM, Jan Just Keijser <[log in to unmask]> >> wrote: >> >>> Hi Asterios, >>> >>> Asterios Katsifodimos wrote: >>> >>>> I have seen a strange behaviour in UI_TAR. >>>> >>>> The proxy certificate that is created throught the voms-proxy-* and >>>> grid-proxy-* >>>> commands are different in stringth. >>>> >>>> In UI_TAR its 512 bits, in glite-UI its 1024 bits. >>>> >>>> Due to this behaviour I cannot use ganga on the UI_TAR. >>>> >>>> So, is it supposed to make a difference? >>>> If yes, what should I change in order to get a 1024 bits proxy on >>>> UI_TAR? >>>> >>>> funny, I was just playing with the latest UI_TAR tarball today ;-) >>> on a glite-UI 3.1.22 machine I see >>> grid-proxy-init -> 512 bits >>> voms-proxy-init -> 512 bits >>> voms-proxy-init -version -> 1.8.3 >>> on my latest and greatest UI_TAR 3.1.23 tarball installation I see >>> grid-proxy-init -> 512 bits >>> voms-proxy-init -> 1024 bits >>> voms-proxy-init -version -> 1.8.8 >>> >>> so it seems that my (brand-new) UI_TAR installation is giving me better >>> proxies than the "normal" UI installation, which is the opposite of >>> what you >>> see! >>> I am very curious which version(s) you have installed. >>> >>> cheers, >>> >>> JJK / Jan Just Keijser >>> Nikhef Amsterdam >>> >> >> >>