[glue-wg] Endpoint.TrustedCA and ComputingEndpoint.TrustedCA Inconsistency in GFD147

Florido Paganelli florido.paganelli at hep.lu.se
Fri Nov 2 05:39:00 EDT 2012 

On 2012-11-01 21:49, stephen.burke at stfc.ac.uk wrote:
 > JP Navarro [mailto:navarro at mcs.anl.gov] said:
 >> First I think it's important to confirm that we indeed have NO uses
 >> for this today. Does anyone know of any?
 >

I don't like this approach of "definition by needs".
The model specifies what has to be there. If a service does not need 
that, it simply does not publish it. If the content of the information
is not clear, we must clarify it, as we(you) defined the model as well.

 > glite certainly doesn't because GLUE 1 doesn't have the information
 > at all. And it isn't an issue because in practice sites do just
 > install all the standard CAs - partly because most sites support WLCG
 > and they probably insist that all their CAs are allowed by all sites.

In don't get the point. Since you claim that such information is not 
used, I don't understand why gLite publishes it at all.
I am quite sure infact that such information *is* used, but mostly by 
monitoring clients, checking that the IGTF string is there.

 > I can see that there could be special cases where e.g. you have a
 > site with funding specifically for national users,

These "special cases" are ARC middleware's everyday life.

 > but we shouldn't
 > need to require all sites to publish a large amount of data to
 > support that.
 >

but you know, clients would like to know which clusters to access before 
kamikaze-probing to open a secure connection to them...
So if we do not put this information in the services, clients will have 
to find out by other means... of just submitting and hoping these CAs 
are accepted

I'd call it "hope discovery algorithm"

 >> Discussing a proposed solution, and even coming to a consensus,
 >> doesn't mean we have to change the current GLUE 2 specification.
 >
 > The specification was intended to cover it already, so at most I
 > would say that it's a clarification. Revising the specification is
 > potentially possible, but as I've said about other things that's
 > something with a multi-year timescale which can't alter what we have
 > in production now.
 >

There is no need at all to clarify the specification, I agree; let's 
just make clear how an information consumer should react when finding 
such information.

Please explain how do gLite clients understand what are the TrustedCAs 
that such label represents, if they do. I'll be happy to produce any 
solution from that.

Cheers,
-- 
Florido Paganelli
Lund University - Particle Physics
ARC Middleware
EMI Project

More information about the glue-wg mailing list