[glue-wg] Endpoint.TrustedCA and ComputingEndpoint.TrustedCA Inconsistency in GFD147
Florido Paganelli
florido.paganelli at hep.lu.se
Thu Nov 1 06:45:44 EDT 2012
Hi all,
We recently stumbled upon problems while running EMI-ES integration
tests across EMI middleware. The reason is there are different
descriptions and therefore different interpretations of the TrustedCA
attribute in Endpoint and ComputingEndpoint.
Here are the two relevant tables in GFD147:
Entity Inherits from Description
Endpoint Entity <http://glue20.web.cern.ch/glue20/#tableEntity> A
network location having a well-defined interface and exposing specific
service functionalities.
Attribute Type Mult. Unit Description
TrustedCA DN_t <http://glue20.web.cern.ch/glue20/#b13> 0..*
The Distinguished Name of a trusted Certification Authority (CA); i.e.,
certificates issued by the CA are accepted by the authentication
process. Alternatively this may identify a standard bundle of accepted
CAs, e.g. those accredited by the IGTF. Note that this does not imply
that such certificates will be authorized to use the Endpoint
<http://glue20.web.cern.ch/glue20/#tableEndpoint>.
Entity Inherits from Description
ComputingEndpoint Endpoint
<http://glue20.web.cern.ch/glue20/#tableEndpoint> A network Endpoint
for creating, monitoring, and controlling computational Activities
called jobs. It MAY also be used to expose complementary capabilities
(e.g., resource reservation or proxy manipulation).
Inherited Attribute Type Mult. Unit Description
TrustedCA DN_t <http://glue20.web.cern.ch/glue20/#b13> 0..*
Distinguished name of the trusted Certification Authority (CA), i.e.,
certificates issued by the CA are accepted for the authentication process
I just don't understand this sentence:
"Alternatively this may identify a standard bundle of accepted CAs, e.g.
those accredited by the IGTF. Note that this does not imply that such
certificates will be authorized to use the Endpoint."
Does "This" still mean a DN or a string? In GLUE2 every attribute value
has a very well defined type, in this case DN_t. DN_t is a distingushed
name as defined by RFC4514 (http://www.ietf.org/rfc/rfc4514.txt) but how
can a DN represent a bundle of accepted CAs?
gLite middleware is using a plain string there, for example IGTF. But
IGTF is NOT a DN_t.
This was also one of the things I didn't understand in Stephen's EGI
GLUE2 profile. Can anybody comment on this?
Sometimes these GLUE2 inconsistencies make me crazy :P
-- Florido Paganelli
Lund University - Particle Physics
ARC Middleware
EMI Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/glue-wg/attachments/20121101/ae12f4d1/attachment.html>
More information about the glue-wg
mailing list