Jens, can you please provide or point to a 'dummies guide' suitable
for physicists to add CA certs into their browser? The TACAR site is
great but I don't see the bulk import option.
We should probably hassle the many (ATLAS) webservices out there with
self-signed certs...
Peter
2009/10/8 Jensen, J (Jens) <[log in to unmask]>:
> Just catching up with email. The official toplevel for the IGTF is
> http://www.igtf.net/
>
> For the distribution it redirects to dist.eugridpma.info which uses a
> Cybertrust certificate (we've thought about those things). This is the
> global distro, it just happens to be hosted by EUGridPMA.
>
> Stephen is right, the TACAR repository is also strongly recommended, but
> note there are accredited CAs not in TACAR, and CAs in TACAR which are
> not accredited. All accredited CAs are meant to be in it: TACAR is
> meant to provide a trusted repository independent of the IGTF.
> Membership is a very manual process involving PGP key exchange with a
> trusted introducer and the exchange of signed letters and stuff, but at
> least now we have more than one in the world. UK e-Science CA has been
> a member since April 2004. TACAR has other nice features like the
> browser bulk download.
>
> Other workarounds for the browser warnings have been considered by PMAs.
> This is a very long story.
>
> Cheers
> --jens
>
> John Gordon wrote:
>> I found this http://www.eugridpma.org/ which looks a bit more oficial.
>>
>> John
>>
>> ________________________________
>>
>> From: Testbed Support for GridPP member institutes on behalf of Stephen Burke
>> Sent: Mon 10/5/2009 9:57 PM
>> To: [log in to unmask]
>> Subject: Re: email encryption
>>
>>
>>
>> Testbed Support for GridPP member institutes
>>> [mailto:[log in to unmask]] On Behalf Of Henry Nebrensky said:
>>> Is there a list of where to find these somewhere (... and how would I
>>> trust it?)?
>>
>> There is a list, here:
>>
>> https://www.tacar.org/repos/
>>
>> As to how you know to trust it ... well, for a start that site has a certificate
>> signed by a "real" CA, and you can read the documentation on the site about how it
>> works. And the host name is "well-known", at least to those people that know it :)
>> Alternatively you have the CA RPM that every site installs, and presumably trusts
>> ...
>>
>>> It's a bit embarrassing when dragging new users on to Grid to
>>> have to give
>>> them the 'treat your certificate with the utmost care' bit, only to
>>> promptly have to tell them to ignore the security warnings from the
>>> GGUS/CIC/SAM sites... :(
>>
>> Indeed - people shouldn't be trained to ignore the warnings, especially since they
>> might then do the same for e.g. web sites masquerading as bank or credit card
>> sites. If you have to do that it's better to make a decision once that you trust
>> it and install the certificate, than ignore the warning every time.
>>
>> Stephen
>>
>>
>
|