[glue-wg] Endpoint.TrustedCA and ComputingEndpoint.TrustedCA Inconsistency in GFD147

[Florido Paganelli]

On 2012-11-02 10:27, stephen.burke at stfc.ac.uk wrote:
> Florido Paganelli [mailto:florido.paganelli at hep.lu.se] said:
>   > ARC clients use this information for selection and brokering of CEs. We used
>> to have a similar approach in NorduGrid schema. ARC infosystem is a crucial
>> part of the infrastructure, we really rely on what is published there.
>
> In practice do you have cases where some users in a VO can't use a particular
> resource because their CA is not allowed, while other users can?
>
> Stephen
>

I launched a quick survey on NorduGrid communication channels and the 
answer to your question is NO, the clusters joining well know scientific 
experiments using grid that are part of EGI and the like do not filter.

However I recently heard of France filtering out Iranian CAs on some 
clusters, and I am quite sure in the US are picky about who to trust either.

Did you hear about that so far? I don't know how they solved it.

Then I also asked the following:

"Is it common to filter or customize the allowed CAs on several clusters?"

And the answer was YES from different sites because of special training 
CAs that are put in place during training session for those who do not 
have a grid certificate and should just use selected clusters.

In the above, ARC clients would be able to submit only to those clusters 
holding the correct CA by checking TrustedCA, wherever they are, without 
the need of hardcoding the target cluster somewhere. Very nice 
autodiscovery.

In principle in such scenario one could have both the IGTF string AND a 
list of allowed CAs in TrustedCA.

I am, however, still puzzled on how a client should find out what are 
the CAs allowed on that cluster by just reading a plain string and not a 
DN...

Cheers,
-- 
Florido Paganelli
Lund University - Particle Physics
ARC Middleware
EMI Project