 |
 |
Hello to everyone, Indeed there should be no problems with different bit-strength in proxies. I have tested 512 and 1024 bit proxies with most of the glite commands. As far as* ganga-UI_TAR-proxies* are concerned: Finally the problem was a bug in ganga ( https://savannah.cern.ch/bugs/index.php?44185) and not my configuration nor UI_TAR nor the bit strength. However in order to get into a conclusion about the problem we had to be sure that the proxies were ok! thank you all for your responses and interest, On Sat, Nov 22, 2008 at 1:26 PM, Oscar Koeroo <[log in to unmask]> wrote: > Vincenzo Ciaschini wrote: > > Hi to everyone: > > > > Asterios Katsifodimos wrote: > >> Hello Jan, > >> > >> On my UI_TAR(glite-UI-3.1.23-0): > >> globus_proxy_utils-0.17 : 512 bits > >> voms-proxy-* 1.8.3 : 512 bits > >> > >> On my super glite-UI (glite-UI-3.1.23-0): > >> globus_proxy_utils-0.17 : 512 bits > >> voms-proxy-* 1.8.8 : 1024 bits > >> > >> Any clue why this happens? > >> My original question, however, is: does size matter? (in terms of bits > of > >> course!) > > The default key size was changed in 1.8.8 on request of the GSVG group, > > since a default key size of 512 bits was becoming way too weak for > > practical use. See this bug: https://savannah.cern.ch/bugs/?37704 > > for details. Note however that you must be a member of GSVG to get the > > details. > > > > To be honest, I do not see as this might constitute a problem with > > ganga, since the default libraries for the major languages are by > > default capable of working with this key size. > > > > In case of a real necessity, you can force a key size of 512 bits by > > adding the following option to the command line '--bits 512'. Note > > however that using this is not advisable, and is strongly deprecated. > > > > Ciao, > > Vincenzo > > > Too add background information to this topic: > In the past we've tried to figure out what the boundary conditions are > and found out that 4096 bits keys are not well supported in all default > libraries for the major languages, neither is 8192 keys or bigger. If > I'm not mistaken we had an issue with them in the Java space, triggered > by one or a few CAs that were using a 4k key length in the past. All > other key lengths didn't introduce a problem. Although not explicitly > tested by myself the 4k key length issues are solved. > > > With that in mind, I don't think the root of the problem is the key > length. Especially not with these sizes. You're allowed to mix and match > certificates with various key lengths to one chain. > > There are lot of other things that can make a chain semantically > invalid. The most common these days is mixing GT2 and RFC proxies in one > chain. > > cheers, > > Oscar > > > > > > > > > >> > >> thanks! > >> On Tue, Nov 18, 2008 at 4:01 PM, Jan Just Keijser <[log in to unmask]> > >> wrote: > >> > >>> Hi Asterios, > >>> > >>> Asterios Katsifodimos wrote: > >>> > >>>> I have seen a strange behaviour in UI_TAR. > >>>> > >>>> The proxy certificate that is created throught the voms-proxy-* and > >>>> grid-proxy-* > >>>> commands are different in stringth. > >>>> > >>>> In UI_TAR its 512 bits, in glite-UI its 1024 bits. > >>>> > >>>> Due to this behaviour I cannot use ganga on the UI_TAR. > >>>> > >>>> So, is it supposed to make a difference? > >>>> If yes, what should I change in order to get a 1024 bits proxy on > >>>> UI_TAR? > >>>> > >>>> funny, I was just playing with the latest UI_TAR tarball today ;-) > >>> on a glite-UI 3.1.22 machine I see > >>> grid-proxy-init -> 512 bits > >>> voms-proxy-init -> 512 bits > >>> voms-proxy-init -version -> 1.8.3 > >>> on my latest and greatest UI_TAR 3.1.23 tarball installation I see > >>> grid-proxy-init -> 512 bits > >>> voms-proxy-init -> 1024 bits > >>> voms-proxy-init -version -> 1.8.8 > >>> > >>> so it seems that my (brand-new) UI_TAR installation is giving me better > >>> proxies than the "normal" UI installation, which is the opposite of > >>> what you > >>> see! > >>> I am very curious which version(s) you have installed. > >>> > >>> cheers, > >>> > >>> JJK / Jan Just Keijser > >>> Nikhef Amsterdam > >>> > >> > >> > >> > > -- Asterios Katsifodimos High Performance Computing systems Lab Department of Computer Science, University of Cyprus http://grid.ucy.ac.cy