[caops-wg] Certificate Bridging and the Grid Certificate Profile version 0.21
Mike Helm
helm at fionn.es.net
Tue Mar 27 14:14:47 CDT 2007
Scott Rea writes:
> Using AKI is definitely recommended for Bridging - it makes it easier to
> discover appropriate paths. The SURA documentation is not advising
> against this, they are in fact recommending that you do use it - but use
> the keyid version rather than the dirname version.
I believe we are (or should be) recommending the same thing in the profile;
the directory name version usage has led to problems with CA key rollover.
> AKI can be populated with multiple values, SURA recommends that you
> simply use the keyid value only as this works with the bridge and the
> globus software as they have configured it.
>
> Regards,
> -Scott
>
> Mike 'Mike' Jones wrote:
> >
> > Hi folks,
> >
> > I've just been asked to add an LSU grid certificate to one of our
> > servers. We sometimes do things like this as a special case reading
> > the CP/CPS where available. However, that's not the point of this email!
> >
> > Poking around the web for details of the
> > "/O=Louisiana State University/OU=CCT/OU=ca.cct.lsu.edu/CN=CCT CA"
> > Certificate Authority I came across the SURAgrid bridge CA. In their
> > documentation they advise _against_ using the Authority Key Identifier
> > (for obvious reasons). The Grid Certificate Profile draft currently
> > recommends that AKID be used (table in section 2.4). Might it be
> > appropriate for us to add a note that by doing this one essentially
> > removes the possibility for joining a bridging scheme such as
> > https://www.pki.virginia.edu/nmi-bridge/ ?
> >
> > Cheers,
> > Mike
> > ------------------------------------------------------------------------
> >
> > --
> > caops-wg mailing list
> > caops-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/caops-wg
>
> --
> Scott Rea
> Director, HEBCA|USHER Operating Authority
> Dartmouth Senior PKI Architect
> Peter Kiewit Computing Services
> Dartmouth College
> 058 Sudikoff, HB 6238
> Hanover, NH 03755
>
> Em: Scott.Rea at Dartmouth.edu
> Ph#(603) 646-0968
> Ot#(603) 646-9181
> Fx#(603) 646-9019
> Ce#(603) 252-7339
>
>
> --
> caops-wg mailing list
> caops-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/caops-wg
>
More information about the caops-wg
mailing list