 |
 |
Too add background information to this topic:Vincenzo Ciaschini wrote:
> Hi to everyone:
>
> Asterios Katsifodimos wrote:
>> Hello Jan,
>>
>> On my UI_TAR(glite-UI-3.1.23-0):
>> globus_proxy_utils-0.17 : 512 bits
>> voms-proxy-* 1.8.3 : 512 bits
>>
>> On my super glite-UI (glite-UI-3.1.23-0):
>> globus_proxy_utils-0.17 : 512 bits
>> voms-proxy-* 1.8.8 : 1024 bits
>>
>> Any clue why this happens?
>> My original question, however, is: does size matter? (in terms of bits of
>> course!)
> The default key size was changed in 1.8.8 on request of the GSVG group,
> since a default key size of 512 bits was becoming way too weak for
> practical use. See this bug: https://savannah.cern.ch/bugs/?37704
> for details. Note however that you must be a member of GSVG to get the
> details.
>
> To be honest, I do not see as this might constitute a problem with
> ganga, since the default libraries for the major languages are by
> default capable of working with this key size.
>
> In case of a real necessity, you can force a key size of 512 bits by
> adding the following option to the command line '--bits 512'. Note
> however that using this is not advisable, and is strongly deprecated.
>
> Ciao,
> Vincenzo
In the past we've tried to figure out what the boundary conditions are
and found out that 4096 bits keys are not well supported in all default
libraries for the major languages, neither is 8192 keys or bigger. If
I'm not mistaken we had an issue with them in the Java space, triggered
by one or a few CAs that were using a 4k key length in the past. All
other key lengths didn't introduce a problem. Although not explicitly
tested by myself the 4k key length issues are solved.
With that in mind, I don't think the root of the problem is the key
length. Especially not with these sizes. You're allowed to mix and match
certificates with various key lengths to one chain.
There are lot of other things that can make a chain semantically
invalid. The most common these days is mixing GT2 and RFC proxies in one
chain.
cheers,
Oscar
>
>
>
>>
>> thanks!
>> On Tue, Nov 18, 2008 at 4:01 PM, Jan Just Keijser <[log in to unmask]>
>> wrote:
>>
>>> Hi Asterios,
>>>
>>> Asterios Katsifodimos wrote:
>>>
>>>> I have seen a strange behaviour in UI_TAR.
>>>>
>>>> The proxy certificate that is created throught the voms-proxy-* and
>>>> grid-proxy-*
>>>> commands are different in stringth.
>>>>
>>>> In UI_TAR its 512 bits, in glite-UI its 1024 bits.
>>>>
>>>> Due to this behaviour I cannot use ganga on the UI_TAR.
>>>>
>>>> So, is it supposed to make a difference?
>>>> If yes, what should I change in order to get a 1024 bits proxy on
>>>> UI_TAR?
>>>>
>>>> funny, I was just playing with the latest UI_TAR tarball today ;-)
>>> on a glite-UI 3.1.22 machine I see
>>> grid-proxy-init -> 512 bits
>>> voms-proxy-init -> 512 bits
>>> voms-proxy-init -version -> 1.8.3
>>> on my latest and greatest UI_TAR 3.1.23 tarball installation I see
>>> grid-proxy-init -> 512 bits
>>> voms-proxy-init -> 1024 bits
>>> voms-proxy-init -version -> 1.8.8
>>>
>>> so it seems that my (brand-new) UI_TAR installation is giving me better
>>> proxies than the "normal" UI installation, which is the opposite of
>>> what you
>>> see!
>>> I am very curious which version(s) you have installed.
>>>
>>> cheers,
>>>
>>> JJK / Jan Just Keijser
>>> Nikhef Amsterdam
>>>
>>
>>
>>