> Yes, everyone should use the canonical (common) locations; trying to set
> up per-user CA repository is not a good idea - unless they (a) know what
> they're doing and (b) actually need it - specifically if you find
> yourself on a system which does not have the standard install and you
> only have your own home directory to put things in.
As I understand it the files in this case are not a CA repo per se, but provided the minimal truststore needed to connect to the CA Server (CertWizard back-end if you will) or the NGS MyProxy server. There were options to add other CAs if you wanted.
our users would usually fall into one of the following categories:
* Don't have write permission for /etc/grid-security so if CA certs weren't available they had to go somewhere
* If they were on Windows then /etc/grid-security wouldn't exist so a home dir is a sensible location
* Only need the UK eScience CA certs
In any case doing CRL updates for clients wasn't seen as best practice at the time (although this is a bit of a red herring).
> If you are on a system with the standard install then you should use
> that so you get fresh CRLs and CA updates and all that.
>
> I thought it was a MyProxy thing (-T switch, was it?) It's not something
> I have ever needed or even looked at much.
Yes, the -T was supported, but what that did was download ALL the Trust root store from the MyProxy server.
At one point this also downloaded .r0 files which was a BAD THING. This was some time ago and I'm afraid I don't recall our resolution for this.
> If CW supports it - I hadn't seen it before - then it probably does it
> to emulate MyProxy?
yup
> > So please: Nothing should write to this directory, ever.
While that may be your opinion, let's have a look at the rules that the globus code uses (this is 5.2 which I think is the version mentioned above)
---
2.1.3. Trusted CAs directory
X509_CERT_DIR is used to specify the path to the trusted certificates directory. This directory contains information about which CAs are trusted (including the CA certificates themselves) and, in some cases, configuration information used by grid-cert-request to formulate certificate requests. The location of the trusted certificates directory is determined as follows:
If the X509_CERT_DIR environment variable is set, the trusted certificates directory is the value of that environment variable.
Otherwise, if $HOME/.globus/certificates exists, that directory is the trusted certificates directory.
Otherwise, if /etc/grid-security/certificates exists, that directory is the trusted certificates directory.
Finally, if $GLOBUS_LOCATION/share/certificates exists, then it is the trusted certificates directory.
---
So I dispute whether you should *never* write to this directory, but it makes it clear that if you do then that is your trusted store.
BTW the moral of the story - use the CA Portal - lots of happy customers.
Cheers
JK
|