[glue-wg] Endpoint.TrustedCA and ComputingEndpoint.TrustedCA Inconsistency in GFD147

[JP Navarro]

An ideal design might be to support named collections of CAs where any number of services across an entire federation can reference these named collections.  A detailed description of what is in a named collections would only need to exist in one place within a federation.

First I think it's important to confirm that we indeed have NO uses for this today. Does anyone know of any?

Second I would propose that we open up the floor to proposed solutions.  Discussing a proposed solution, and even coming to a consensus, doesn't mean we have to change the current GLUE 2 specification.  The community can first try to implement a consensus solution, or multiple solutions, and at some future point decide which of these we want to integrate into a future GLUE2 revision.

In short, we need to confirm we aren't breaking any known uses and implementations while we explore solutions.

JP

On Nov 1, 2012, at 2:50 PM, <stephen.burke at stfc.ac.uk> wrote:

> JP Navarro [mailto:navarro at mcs.anl.gov] said:
>> Could these strings be a hash of a DN?
> 
> That wouldn't help much, the problem is the number of CAs more than the length of each one.
> 
>> How many TrustedCAs are we thinking might need to be published for each
>> endpoint, and how much data is that really?  Do we think it would
>> significantly impact the performance of our information systems to publish
>> multiple collections of TrustedCA strings?
> 
> At a quick count, I get 89 CAs and about 5 KB of data, compared with about 2 KB currently in an Endpoint - and that for something for which, as far as I know, we have no uses, and which would be duplicated several thousand times over. For the BDII I think publishing that would not make any sense.
> 
> Stephen
> 
> --
> Scanned by iCritical.