[glue-wg] Endpoint.TrustedCA and ComputingEndpoint.TrustedCA Inconsistency in GFD147

Florido Paganelli florido.paganelli at hep.lu.se
Fri Nov 2 05:27:00 EDT 2012 

On 2012-11-01 21:01, JP Navarro wrote:
> An ideal design might be to support named collections of CAs where
> any number of services across an entire federation can reference
> these named collections.  A detailed description of what is in a
> named collections would only need to exist in one place within a
> federation.
>
> First I think it's important to confirm that we indeed have NO uses
> for this today. Does anyone know of any?
>

ARC clients heavily rely on that.
Moreover, is bad if we don't clearly define what these strings *mean*. A 
client willing to understand what the string it founds here means must 
be able to do it in an automatical an algorothmical way. Otherwise the 
information there would be labeled as unclear/unrelevant.

Of course one can always try to "kamikaze" submit to any endpoint it 
finds. I personally don't find it very performing, and I also think it 
basically makes our contribution (GLUE2 as a pillar of infosys) useless 
if we don't clarify these things in a open and accessible way.

> Second I would propose that we open up the floor to proposed
> solutions.  Discussing a proposed solution, and even coming to a
> consensus, doesn't mean we have to change the current GLUE 2
> specification.

I agree, that's why I was proposing to fit that in rendering documents.

> The community can first try to implement a consensus
> solution, or multiple solutions, and at some future point decide
> which of these we want to integrate into a future GLUE2 revision.
>

Sound good

> In short, we need to confirm we aren't breaking any known uses and
> implementations while we explore solutions.
>

The current situation *breaks* EMI-ES implementation, unfortunately, 
unless we give a clear definition.

See my first post.

Cheers,
Florido.

> JP
>
> On Nov 1, 2012, at 2:50 PM, <stephen.burke at stfc.ac.uk> wrote:
>
>> JP Navarro [mailto:navarro at mcs.anl.gov] said:
>>> Could these strings be a hash of a DN?
>>
>> That wouldn't help much, the problem is the number of CAs more than
>> the length of each one.
>>
>>> How many TrustedCAs are we thinking might need to be published
>>> for each endpoint, and how much data is that really?  Do we think
>>> it would significantly impact the performance of our information
>>> systems to publish multiple collections of TrustedCA strings?
>>
>> At a quick count, I get 89 CAs and about 5 KB of data, compared
>> with about 2 KB currently in an Endpoint - and that for something
>> for which, as far as I know, we have no uses, and which would be
>> duplicated several thousand times over. For the BDII I think
>> publishing that would not make any sense.
>>
>> Stephen
>>
>> -- Scanned by iCritical.
>


-- 
Florido Paganelli
Lund University - Particle Physics
ARC Middleware
EMI Project

More information about the glue-wg mailing list