[gin-ops] Re: [gin-auth] VO name change
Cindy Zheng
zhengc at sdsc.edu
Mon Apr 24 15:39:05 CDT 2006
Thank you very much, Oscar! Very clear descriptions
of our experiences, issues, temporary solutions and
proposed solutions!
For now, I have linked it at
http://goc.pragma-grid.net/gin/default.html
Everyone is welcome to comment and contribute ideas.
We can refine it with our collective wisdom :-)
I'll also pass it to GLOBUS people and will let you
all know if I hear any comments from them.
Cindy
> -----Original Message-----
> From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
> Sent: Monday, April 24, 2006 3:24 AM
> To: Cindy Zheng
> Cc: 'Vincenzo Ciaschini'; gin-auth at ggf.org; gin-ops at ggf.org
> Subject: Re: [gin-ops] Re: [gin-auth] VO name change
>
>
> Hi Cindy and others,
>
> Concerning the recent experiences within GIN regarding VOMS,
> certificates, CAs and things that link to these terms, I've written a
> small document about this.
>
>
> Oscar
>
>
>
> Cindy Zheng wrote:
>
> >Thank you very much, Oscar!
> >
> >
> >
> >>-----Original Message-----
> >>From: owner-gin-ops at ggf.org [mailto:owner-gin-ops at ggf.org] On
> >>Behalf Of Oscar Koeroo
> >>Sent: Thursday, March 23, 2006 12:19 AM
> >>To: zhengc at sdsc.edu
> >>Cc: 'Vincenzo Ciaschini'; gin-auth at ggf.org; gin-ops at ggf.org
> >>Subject: Re: [gin-ops] Re: [gin-auth] VO name change
> >>
> >>
> >>I'll make a small doc on the current experiences.
> >>
> >> Oscar
> >>
> >>
> >>Cindy Zheng wrote:
> >>
> >>
> >>
> >>>Cool! It works!
> >>>Thank you, Oscar and Vincenzo, for the quick resolution!
> >>>
> >>>We need to document all the issues in our GIN experiment.
> >>>Since you guys know best what's going on with this,
> >>>would you mind to lead the effort to document this issue?
> >>>All suggestions and volunteers are welcome! :-)
> >>>
> >>>Thanks again,
> >>>
> >>>Cindy
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
> >>>>On Behalf Of Oscar Koeroo
> >>>>Sent: Wednesday, March 22, 2006 8:21 AM
> >>>>To: zhengc at sdsc.edu
> >>>>Cc: gin-auth at ggf.org; gin-ops at ggf.org
> >>>>Subject: Re: [gin-ops] Re: [gin-auth] VO name change
> >>>>
> >>>>
> >>>>Hi Cindy & all,
> >>>>
> >>>>We found the problem. The UID/USERID issue in the user DN is
> >>>>solved in
> >>>>the VOMS code at all places *but* not for the CA DNs.
> >>>>It is regarded odd to have a UID/USERID in the DN of the CA...
> >>>>
> >>>>So our tmp workaround is to change the stored DN for your
> >>>>
> >>>>
> >>CA. We have
> >>
> >>
> >>>>done this for you now. The problem is that the software could
> >>>>clean the
> >>>>CA list in the database and introduce a problem...
> >>>>
> >>>>A newer version of the VOMS daemon will be released and
> >>>>installed on my
> >>>>machine when this bug is ready. The problem is located
> only at the
> >>>>serverside, no need to change your clients.
> >>>>
> >>>>
> >>>>Have a go for it, though until the newer version installed I
> >>>>can't give
> >>>>you to much support on this, because it could consume to
> much of my
> >>>>(personal) time. :-)
> >>>>
> >>>>
> >>>>cheers,
> >>>>
> >>>> Oscar
> >>>>
> >>>>
> >>>>Cindy Zheng wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Thank you, Oscar!
> >>>>>
> >>>>>But I'm still getting the same error. Either this was not
> >>>>>the cause, or there are additional problems. Could you
> >>>>>check your log and see if any clues?
> >>>>>
> >>>>>I agree that this case is special in the sense of not
> >>>>>IGTF accredited CA. But, I think we can benefit from dealing
> >>>>>with this, either as a case of non-IGTF CA or as a case of
> >>>>>mixed GT versions. In the near term, these issues will show
> >>>>>up again as more grids joining GIN.
> >>>>>
> >>>>>I feel the same as you do - the incompatibility of the DN
> >>>>>format is annoying. I'm not a security expert. In my naive
> >>>>>opinion, it would work best if globus software can take care
> >>>>>of this somehow. I would like to hear what you and others
> >>>>>think is the best solution. Hopefully, these problems and
> >>>>>discussions can resolve to some concret recommendations or
> >>>>>work plans. Perhaps this can be one of many lessons we learn
> >>>>>thru our interoperation?
> >>>>>
> >>>>>Below is the output of voms-proxy-init. Also "grid-proxy-init",
> >>>>>just to verify my .globus setup and give you the time to
> >>>>>locate the corresponding log entries.
> >>>>>
> >>>>>[zhengc at rocks-52 ~]$ voms-proxy-init --debug --voms gin.ggf.org
> >>>>>Detected Globus version: 22
> >>>>>Unspecified proxy version, settling on Globus version: 2
> >>>>>Number of bits in key :512
> >>>>>Using configuration file /opt/glite/etc/vomses
> >>>>>Using configuration file /opt/glite/etc/vomses
> >>>>>Files being used:
> >>>>>CA certificate file: none
> >>>>>Trusted certificates directory : /etc/grid-security/certificates
> >>>>>Proxy certificate file : /home/zhengc/.globus/.proxy
> >>>>>User certificate file: /home/zhengc/.globus/usercert.pem
> >>>>>User key file: /home/zhengc/.globus/userkey.pem
> >>>>>Output to /home/zhengc/.globus/.proxy
> >>>>>Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
> >>>>>Enter GRID pass phrase:
> >>>>>Creating temporary proxy to /tmp/tmp_x509up_u502_2448
> >>>>>...........++++++++++++
> >>>>>...................................++++++++++++
> >>>>>Done
> >>>>>Contacting kuiken.nikhef.nl:15050
> >>>>>[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl]
> >>>>>
> >>>>>
> >>"gin.ggf.org"
> >>
> >>
> >>>>>Error: gin.ggf.org: User unknown to this VO.
> >>>>>[zhengc at rocks-52 ~]$ grid-proxy-init
> >>>>>Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/UID=zhengc
> >>>>>Enter GRID pass phrase for this identity:
> >>>>>Creating proxy ............................ Done
> >>>>>Your proxy is valid until: Wed Mar 22 04:24:18 2006
> >>>>>
> >>>>>Cindy
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>-----Original Message-----
> >>>>>>From: owner-gin-ops at ggf.org [mailto:owner-gin-ops at ggf.org] On
> >>>>>>Behalf Of Oscar Koeroo
> >>>>>>Sent: Tuesday, March 21, 2006 2:15 AM
> >>>>>>To: Cindy Zheng
> >>>>>>Cc: gin-auth at ggf.org; gin-ops at ggf.org
> >>>>>>Subject: Re: [gin-ops] Re: [gin-auth] VO name change
> >>>>>>
> >>>>>>
> >>>>>>Hi Cindy,
> >>>>>>
> >>>>>>I now regard your registration in the VOMS db as special,
> >>>>>>with respect
> >>>>>>to the instant trust in your CA and this little change.
> >>>>>>Which means that I've updated your DN in the database with
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>the UID to
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>USERID substring change.
> >>>>>>
> >>>>>>It seems that it is up to the software on how they can either
> >>>>>>construct
> >>>>>>a DN to UID or USERID. According to my Google searches the
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>UID is the
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>prevailed string representation for that part of your
> DN in your
> >>>>>>certificate which means that something (the used software that
> >>>>>>constructs a DN from a X.509 cert to do the simple string
> >>>>>>compare) needs
> >>>>>>investigation on possible incompatibility between the two
> >>>>>>repesentations.
> >>>>>>Perhaps I'm just negatively paranoid ofcourse, but this issue
> >>>>>>could hit
> >>>>>>us again when other members would have an serialNumber or SN
> >>>>>>in their DN :-)
> >>>>>>
> >>>>>>My personal feelings towards the CAs in general is still
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>unchanged in
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>the matter of avoiding dubious fields like UID/USERID,
> >>>>>>emailAddress/Email and such in a DN which is used in simple
> >>>>>>stringcompare operations in numerous parts of middleware.
> >>>>>>
> >>>>>>
> >>>>>>cheers,
> >>>>>>
> >>>>>> Oscar
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Cindy Zheng wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>Thank you, Oscar! I agree that we should have in-depth
> >>>>>>>discussion on this issue.
> >>>>>>>Meanwhile, can we also have a temporary solution?
> >>>>>>>Since double entry does not work for your environment,
> >>>>>>>how about change UID to USERID in my DN string in your
> >>>>>>>voms db? Welcome any better ideas and solutions.
> >>>>>>>
> >>>>>>>Thanks again,
> >>>>>>>
> >>>>>>>Cindy
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>-----Original Message-----
> >>>>>>>>From: owner-gin-ops at ggf.org [mailto:owner-gin-ops at ggf.org] On
> >>>>>>>>Behalf Of Oscar Koeroo
> >>>>>>>>Sent: Friday, March 17, 2006 6:20 PM
> >>>>>>>>To: zhengc at sdsc.edu
> >>>>>>>>Cc: gin-auth at ggf.org; gin-ops at ggf.org; Olle Mulmo; Dane Skow;
> >>>>>>>>David Groep
> >>>>>>>>Subject: [gin-ops] Re: [gin-auth] VO name change
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Hi Cindy,
> >>>>>>>>
> >>>>>>>>I wish to help here, but this seems be a point where
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>interoperability
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>needs to be noted (done), fixed/solved and documented.
> >>>>>>>>I know of the existance of UID and USERID, now I know where
> >>>>>>>>my confusion
> >>>>>>>>comes from (I could remember if it was UID or USERID).
> >>>>>>>>
> >>>>>>>>I think that a double entry in the VOMS DB is not the
> way to go.
> >>>>>>>>
> >>>>>>>>Perhaps David Group, Dane Skow or Olle Mulmo can give a
> >>>>>>>>better judgement
> >>>>>>>>on what to do.
> >>>>>>>>Personally I do not like the UID/USERID option for a bit in
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>the DN of
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>personal certificate. Especially since it doesn't
> give you any
> >>>>>>>>identificational value if you cross a domain that has you
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>registered
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>differently (by their local policy).
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Oscar
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Cindy Zheng wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>Thanks, Oscar, for checking!
> >>>>>>>>>
> >>>>>>>>>The DN is the same, but "seen" differently by different
> >>>>>>>>>versions of GT. GT2 formats it as USERID= and GT3&4
> >>>>>>>>>formats it as UID=. I learned this, since PRAGMA testbed
> >>>>>>>>>sites are running a mixture of GT2,3,4.
> >>>>>>>>>What we do in PRAGMA testbed is to add a DN in both format
> >>>>>>>>>in the gridmap file, so even when GT get upgraded, you
> >>>>>>>>>don't have to worry about it. Perhaps you can do the same?
> >>>>>>>>>
> >>>>>>>>>Let me know and I can then test it again.
> >>>>>>>>>
> >>>>>>>>>Our SDSC CA admin also pointed out that a signing_policy
> >>>>>>>>>file which will recognize the OID 0.9.2342.19200300.100.1.1
> >>>>>>>>>as either UID or USERID is linked off the CA web page:
> >>>>>>>>>http://www.sdsc.edu/CA/.
> >>>>>>>>>
> >>>>>>>>>Thanks,
> >>>>>>>>>
> >>>>>>>>>Cindy
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>-----Original Message-----
> >>>>>>>>>>From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
> >>>>>>>>>>Sent: Friday, March 17, 2006 3:19 AM
> >>>>>>>>>>To: Cindy Zheng
> >>>>>>>>>>Cc: gin-auth at ggf.org; gin-ops at ggf.org
> >>>>>>>>>>Subject: Re: [gin-auth] VO name change
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Hi,
> >>>>>>>>>>
> >>>>>>>>>>Have look at your DN
> >>>>>>>>>>
> >>>>>>>>>>/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
> >>>>>>>>>>
> >>>>>>>>>>and compare it to:
> >>>>>>>>>>"/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/UID=zhengc"
> .gin.ggf.org
> >>>>>>>>>>
> >>>>>>>>>>This will never match :-)
> >>>>>>>>>>Please use only one certificate.
> >>>>>>>>>>
> >>>>>>>>>>cheers,
> >>>>>>>>>>
> >>>>>>>>>> Oscar
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Cindy Zheng wrote:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>Hi, Oscar,
> >>>>>>>>>>>
> >>>>>>>>>>>I modified the VO name in the vomses file, but I get
> >>>>>>>>>>>"user unknown to this VO" when run voms-proxy-init.
> >>>>>>>>>>>Did you add SDSC cert files in the new VO server?
> >>>>>>>>>>>Or did I missed something? Here is the vomses file
> >>>>>>>>>>>and voms-proxy-init output:
> >>>>>>>>>>>
> >>>>>>>>>>>[zhengc at rocks-52 vomsdir]$ cat
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>/opt/glite/etc/vomses/gin.ggf.org
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>>>>>>"gin.ggf.org" "kuiken.nikhef.nl" "15050"
> >>>>>>>>>>>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>"gin.ggf.org"
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>[zhengc at rocks-52 vomsdir]$ voms-proxy-init --debug --voms
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>gin.ggf.org
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>Detected Globus version: 22
> >>>>>>>>>>>Unspecified proxy version, settling on Globus version: 2
> >>>>>>>>>>>Number of bits in key :512
> >>>>>>>>>>>Using configuration file /opt/glite/etc/vomses
> >>>>>>>>>>>Using configuration file /opt/glite/etc/vomses
> >>>>>>>>>>>Files being used:
> >>>>>>>>>>>CA certificate file: none
> >>>>>>>>>>>Trusted certificates directory :
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>/etc/grid-security/certificates
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>>>>>>Proxy certificate file : /home/zhengc/.globus/.proxy
> >>>>>>>>>>>User certificate file: /home/zhengc/.globus/usercert.pem
> >>>>>>>>>>>User key file: /home/zhengc/.globus/userkey.pem
> >>>>>>>>>>>Output to /home/zhengc/.globus/.proxy
> >>>>>>>>>>>Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>Zheng/USERID=zhengc
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>>>>>>Enter GRID pass phrase:
> >>>>>>>>>>>Creating temporary proxy to /tmp/tmp_x509up_u502_21548
> >>>>>>>>>>>.......++++++++++++
> >>>>>>>>>>>...........................................++++++++++++
> >>>>>>>>>>>Done
> >>>>>>>>>>>Contacting kuiken.nikhef.nl:15050
> >>>>>>>>>>>[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl]
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>"gin.ggf.org"
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>Error: gin.ggf.org: User unknown to this VO.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>>-----Original Message-----
> >>>>>>>>>>>>From: owner-gin-auth at ggf.org
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>[mailto:owner-gin-auth at ggf.org]
> >>
> >>
> >>>>>>>>>>>>On Behalf Of Oscar Koeroo
> >>>>>>>>>>>>Sent: Tuesday, March 14, 2006 6:09 AM
> >>>>>>>>>>>>To: gin-auth at ggf.org
> >>>>>>>>>>>>Subject: [gin-auth] VO name change
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>Hello everybody,
> >>>>>>>>>>>>
> >>>>>>>>>>>>The GIN VO name has been change from 'GIN-GGF-ORG' to
> >>>>>>>>>>>>'gin.ggf.org' with
> >>>>>>>>>>>>the approval of the security area directroy to use the
> >>>>>>>>>>>>ggf.org domain name.
> >>>>>>>>>>>>All other configurations and registration have stayed
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>persistently.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>Which means, the same portnumbers do apply on the
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>same server
> >>
> >>
> >>>>>>>>>>>>with the
> >>>>>>>>>>>>same certificate.
> >>>>>>>>>>>>
> >>>>>>>>>>>>Though the web site as been move to:
> >>>>>>>>>>>>https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/
> >>>>>>>>>>>>
> >>>>>>>>>>>>The configuration for the vomses file has change to:
> >>>>>>>>>>>>
> >>>>>>>>>>>>"gin.ggf.org" "kuiken.nikhef.nl" "15050"
> >>>>>>>>>>>>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>"gin.ggf.org"
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>>And also the legacy support interface for mkgridmap
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>has also
> >>
> >>
> >>>>>>>>>>>>changed with the URL change to:
> >>>>>>>>>>>>group vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>.gin.ggf.org
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>Oscar - /gin.ggf.org/Role=VO-Admin
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>Oscar Koeroo wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>which means that I'll change the GIN-GGF-ORG VO name
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>to:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>>>>>>>>"gin.ggf.org"
> >>>>>>>>>>>>>... if one or both security area directors approve
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>with the
> >>
> >>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>change and
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>use of the "ggf.org" domain as a suffix to the GIN VO.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>Oscar
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>Von Welch wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>Works for me.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>Von
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>On Mar 13, 2006, at 12:42 PM, Olle Mulmo wrote:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>FYI,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>This was discussed (again) at two consecutive EGEE
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>meetings at CERN
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>last week, ending in the draft text proposed below.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>/Olle
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>VO Naming
> >>>>>>>>>>>>>>>---------
> >>>>>>>>>>>>>>>The VO name is a string, used to represent the
> VO in all
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>interactions
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>with grid software, such as in expressions of policy
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>and access
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>>rights.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>The VO name MUST be formatted as a subdomain name as
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>specified in
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>>RFC 1034 section 3.5. The VO Manager of a VO using a
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>thus-formatted
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>name
> >>>>>>>>>>>>>>>MUST be entitled to the use of this name, when
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>interpreted as a
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>>name in the Internet Domain Name System.
> >>>>>>>>>>>>>>>This entitlement MUST stem either from a direct
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>delegation of the
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>corresponding name in the Domain Name System by an
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>accredited
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>>>>registrar for
> >>>>>>>>>>>>>>>the next-higher level subdomain, or from a direct
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>delegation of the
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>equivalent name in the Domain Name System by ICANN, or
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>from the
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>>consent
> >>>>>>>>>>>>>>>of the administrative or operational contact of the
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>next-higher
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>>equivalent
> >>>>>>>>>>>>>>>subdomain name for that VO name that itself is
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>registered
> >>
> >>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>with such an
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>accredited registrar.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>Considering that RFC1034 section 3.5 states that both
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>upper case
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>>>>>and lower
> >>>>>>>>>>>>>>>case letters are allowed, but no significance is to be
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>attached to
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>the case,
> >>>>>>>>>>>>>>>but that today the software handling VO names may
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>still be case
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>>sensisitive,
> >>>>>>>>>>>>>>>all VO names MUST be entirely in lower case.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
>
>
More information about the gin-ops
mailing list