Ian,
Good....
So the whole chain has to be there but there is no requirement for the
namespaces to be hierarchical.
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: [log in to unmask]
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Ian Stokes-Rees
> Sent: 07 May 2004 14:40
> To: [log in to unmask]
> Subject: Re: Funny CNRS certificate signing policies?
>
>
> Kelsey, DP (David) wrote:
> > Ian,
> >
> > CNRS acts as a "catch-all" CA and therefore signs certs for many
> > different namespaces. I think GSI ignores anything to do with CA
> > hierarchies so I imagine the signing policy of one CA is
> never checked
> > against another even if it is higher up some hierarchy (not
> 100% sure
> > of that statement).
> >
> > The best evidence I think is lack of anyone else reporting
> problems...
> > so I suspect it's a configuration issue.
> >
> > .... Or a CRL out of date?
> >
> > If are you still having problems I can forward to the CA list, but
> > could do with a few more details.
>
> Thanks, it turns out it had to do with the CA chain. The
> site I was trying to access had installed the first CA, but
> not the full CA chain back to the self-signed CA cert. They
> only realised this *after* they told me they had manually
> installed the first CA, and I assumed they meant they had
> installed *all* the CNRS CA certs.
>
> So, back on track.
>
> Ian
>
> "Don't worry, everything is going to be alright."
>
> --
> Ian Stokes-Rees [log in to unmask]
> Particle Physics, Oxford
> http://www-pnp.physics.ox.ac.uk/~stokes
>
|