[glue-wg] Endpoint.TrustedCA and ComputingEndpoint.TrustedCA Inconsistency in GFD147

Florido Paganelli florido.paganelli at hep.lu.se
Thu Nov 1 09:13:59 EDT 2012 

Hi Stephen, all

On 2012-11-01 13:25, stephen.burke at stfc.ac.uk wrote:
> glue-wg-bounces at ogf.org [mailto:glue-wg-bounces at ogf.org] On Behalf Of
> Florido Paganelli said:
>> We recently stumbled upon problems while running EMI-ES integration
>> tests across EMI middleware. The reason is there are different
>> descriptions and therefore different interpretations of the
>> TrustedCA attribute in Endpoint and ComputingEndpoint.
>
> Probably the text for Endpoint was updated but not copied to
> ComputingEndpoint - the Endpoint text is correct. The basic point is
> that publishing every CA for every Endpoint would be a huge data
> volume, and in practice I think we have no clients that use it. Also
> the majority of Grid sites use a completely standard set of CAs so
> most of the information would be duplicated.
>
>> Does "This" still mean a DN or a string?
>
> It means a string used as a reserved word - "IGTF" in this case.
>

This is very bad.
How is a client/consumer supposed to know this?

How can we solve this with respect to the DN_t type in the specification
(which is "clearly unclear")? Recommendations in the renderings?

>> Sometimes these GLUE2 inconsistencies make me crazy :P
>
> If you expect absolutely precise definitions of everything I suggest
> you stop working in Grids ...
>

Forget about it. I will *not* stop working on grid and fight to make it
precise and useful, if not defined so. And that might happen even if I 
am not paid for it.

So, coming back to the topic:
Let's say there is recommendation in the renderings that tells to
put a string there, overriding the GFD147 specs.

Say you have a this reserved word there: IGTF. How is a third party
client supposed to know the meaning of it? where to look for such
strings? What kind of algorithm to deduce which are the CAs entitled?

Note: The type of TrustedCA is currently not even a open enumeration.

A solution might be to change the type of this attribute in the
realization documents to have an open enumeration that clearly defines 
what are the CAs entitled.

But then we face a second problem, for example in case of IGTF, the CAs
allowed might change frequently and dynamically. So far the open
enumerations we have are mostly static. Can it be done leveraging CRLs?

Any idea?

Thanks
-- 
Florido Paganelli
Lund University - Particle Physics
ARC Middleware
EMI Project

More information about the glue-wg mailing list