grid: Re: PR stage for SSO Basic Authentication

From: Guy Rixon <guyrixon-at-gmail.com>
Date: Sat, 7 Jul 2007 12:30:11 +0100

Hi folks,

below are URLs for the root certificates currently used by AstroGrid users.

Local, community CA at IoA Cambridge:

http://ag01.ast.cam.ac.uk:8081/astrogrid.cam-community/certificates/ 2c8f8e16.0

This is a test community, currently with few members. Its root certificate is self signed. I expect to grow this community, using the same CA, over the next few months. It registers Cambridge users only.

Local, community CA for the UKIDSS consortium:

http://hempriggs.roe.ac.uk/ukidss-community/certificates/fc3426d1.0

This is a live community, managed at ROE. Its members are international, from those countries having access rights to the UKIDSS data. There are issues here regarding SSO. Clearly, a community for each resource doesn't work. This will get fixed over the next year or so, but for now the community is important to us since its members use it for science. It uses a local CA with a self- signed certificate.

Old UK e-Science CA:

http://ag01.ast.cam.ac.uk:8081/astrogrid.cam-community/certificates/ 01621954.0

This is the PMA-affiliated CA for the UK. It used this root certificate up to ~2Q2007, so there may be a few EECs around that refer back to this. However, this root has been replaced with a newer certificate.

New UK e-Science CA:

http://www.grid-support.ac.uk/content/view/182/184/

Note that the new trust-anchor is in two parts: a root and a CA certificate. IFAIK, you need both in your store of trust anchors to make the chaining work.

There is no "AstroGrid" root certificate, nor is there a "EuroVO" root certificate. Therefore communities of AstroGrid users (and communities of EuroVO users who use AstroGrid software for user- management) will tend to have local CAs with self-signed certificates. I expect there to be ~ 6 such communities by 4Q2007. There may be a couple of dozen by the end of 2008. *If* this becomes unsupportable *in practice*, then AstroGrid will look at the alternatives: either getting the community sites set up as RA for a grown-up PMA-approved CA (as has been done at ESO) or designating a regional (UK/Europe) CA inside the VO (as proposed in Roy's recent document). I don't want to get into these complications unless we really need to.

Cheers,
Guy

On 6 Jun 2007, at 16:25, Matthew Graham wrote:

> Hi,
>
> I am still intending to announce the opening of the PR stage for
> this on June 15 (next Friday). How should we formally demonstrate
> interoperability of our implementations?
>
> Cheers,
>
> Matthew
Received on 2007-07-07Z13:30:44