[caops-wg] Certificate Bridging and the Grid Certificate Profile version 0.21

Scott Rea Scott.Rea at Dartmouth.EDU
Tue Mar 27 14:24:52 CDT 2007 

I would be in favor of this - I have never used the DirName value in 
AuthorityKeyIdentifier, I have always used KeyId
-Scott

Mike Helm wrote:
> Scott Rea writes:
>   
>> Using AKI is definitely recommended for Bridging - it makes it easier to 
>> discover appropriate paths. The SURA documentation is not advising 
>> against this, they are in fact recommending that you do use it - but use 
>> the keyid version rather than the dirname version.
>>     
>
> I believe we are (or should be) recommending the same thing in the profile;
> the directory name version usage has led to problems with CA key rollover.
>
>   
>> AKI can be populated with multiple values, SURA recommends that you 
>> simply use the keyid value only as this works with the bridge and the 
>> globus software as they have configured it.
>>
>> Regards,
>> -Scott
>>
>> Mike 'Mike' Jones wrote:
>>     
>>> Hi folks,
>>>
>>> I've just been asked to add an LSU grid certificate to one of our 
>>> servers. We sometimes do things like this as a special case reading 
>>> the CP/CPS where available.  However, that's not the point of this email!
>>>
>>> Poking around the web for details of the
>>> "/O=Louisiana State University/OU=CCT/OU=ca.cct.lsu.edu/CN=CCT CA"
>>> Certificate Authority I came across the SURAgrid bridge CA. In their 
>>> documentation they advise _against_ using the Authority Key Identifier 
>>> (for obvious reasons).  The Grid Certificate Profile draft currently
>>> recommends that AKID be used (table in section 2.4).  Might it be 
>>> appropriate for us to add a note that by doing this one essentially 
>>> removes the possibility for joining a bridging scheme such as 
>>> https://www.pki.virginia.edu/nmi-bridge/ ?
>>>
>>> Cheers,
>>> Mike
>>> ------------------------------------------------------------------------
>>>
>>> --
>>>   caops-wg mailing list
>>>   caops-wg at ogf.org
>>>   http://www.ogf.org/mailman/listinfo/caops-wg
>>>       
>> -- 
>> Scott Rea
>> Director, HEBCA|USHER Operating Authority
>> Dartmouth Senior PKI Architect
>> Peter Kiewit Computing Services
>> Dartmouth College
>> 058 Sudikoff, HB 6238
>> Hanover, NH 03755
>>
>> Em: Scott.Rea at Dartmouth.edu
>> Ph#(603) 646-0968
>> Ot#(603) 646-9181
>> Fx#(603) 646-9019
>> Ce#(603) 252-7339
>>
>>
>> --
>>   caops-wg mailing list
>>   caops-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/caops-wg
>>
>>     

-- 
Scott Rea
Director, HEBCA|USHER Operating Authority
Dartmouth Senior PKI Architect
Peter Kiewit Computing Services
Dartmouth College
058 Sudikoff, HB 6238
Hanover, NH 03755

Em: Scott.Rea at Dartmouth.edu
Ph#(603) 646-0968
Ot#(603) 646-9181
Fx#(603) 646-9019
Ce#(603) 252-7339

More information about the caops-wg mailing list