[glue-wg] DN format anomaly
Paul Millar
paul.millar at desy.de
Mon Feb 11 06:08:50 EST 2013
Hi Stephen,
On 02/08/2013 06:05 PM, stephen.burke at stfc.ac.uk wrote:
> glue-wg-bounces at ogf.org [mailto:glue-wg-bounces at ogf.org] On
>> Behalf Of Paul Millar said: ... and you want to base a standard on
>> this?
>
> Apparently we already have - essentially all the middleware uses it,
> including dcache as far as I remember.
Up to a point; there are file formats that use OpenSSL-format for
representing DNs, perhaps most notably the gridmap and signing_policy
files. Software, like dCache, that supports these files must support
OpenSSL-format (or, more often, use libraries that do).
So the statement "all the middleware uses it" is probably correct,
insofar as all middleware supports file formats (like signing_policy
files) that use it.
Internally, it very much depends. Support for any particular file
format isn't necessarily a strong indicator that it supports that
particular encoding internally. Within dCache, we're in the process of
moving away from Globus-specific representations in favour of
standards-based ones.
Therefore it is spurious to conclude that, since all software supports
particular file formats, they all use OpenSSL-format internally.
> I don't see much point in GLUE doing something different when all it's
> doing is publishing strings, if everything that actually *uses* DNs
> for authn and authz uses the openssl format.
First off, and I can't emphasis this enough, it's not a standard!
How does one represent a RDN value with a '/' in it? How are non-ASCII
names handled (Chinese CNs, anyone)? How are RDNs with multiple AVAs
handled? ... etc ...
How can one write a validator for GLUE2 when so much is left
unspecified. How does this foster interoperability?
Second, this argument is that of vendor lock-in.
For a variety of reasons, WLCG grid software currently suffers from a
vendor lock-in with Globus code, which uses OpenSSL-format. Rather than
use a vendor-neutral format, you advocate using a non-standard format.
Yes, it's always easier to follow the path of vendor lock-in; that's why
it works. Remaining neutral often involves putting in some extra
effort; however, it pays off in the long run.
>> Adopt a standardised format, say, one published as an RFC.
>
> An RFC for LDAP, not X509!
Note that I didn't say we keep the same RFC, rather that it must be a
published standard.
[aside, LDAP and X509 both use ASN.1 for encoding and have the same
concept of "a DistingushedName", since they both derive from X500
service model. Using an LDAP RFC isn't *so* crazy.]
I would recommend we take advice from security experts about which
standard/RFC we should use when defining the representation.
Cheers,
Paul.
More information about the glue-wg
mailing list