[glue-wg] Fwd: Re: Call for minor non-distruptive updates to GLUE 2.0
Paul Millar
paul.millar at desy.de
Mon Sep 8 11:40:04 EDT 2014
Sorry,
I mistakenly replied only to Alan, but I meant to reply to the list.
-------- Forwarded Message --------
Hi Alan,
On 08/09/14 15:25, Sill, Alan wrote:
>> On Sep 8, 2014, at 2:13 PM, Paul Millar <paul.millar at desy.de>
>> wrote:
>> 1. create a registry where people can add CA bundle along with
>> some canonical name,
>
> This type of registry, if created, would be meaningless without
> secure links to the CA bundles and an accompanying description of
> policy for each. This in fact is what the IGTF provides for each of
> its published bundles.
I'm not sure what you mean by "meaningless", but certainly the registry
entry for some CA-bundle should allow a user to navigate to the list of
certificates and a description of the bundle's policy.
(Be aware that this is not a security-related issue: the published
information only provides a hint whether or not a client's X.509
certificate is from a CA the server trusts.)
> TACAR maintains a list of individual CAs along with secure links to
> download their individual CA trust anchor files, but only for a
> subset of academic CAs.
>
> I suggest generic language that refers to both as examples.
My point is that we shouldn't include these kinds of examples; they're
point to a problem in the GLUE document that can be fixed for GLUE 2.1
The problem is that we (the people writing GLUE 2.x documents) might
know what "IGTF-SLCS" should mean but unless it's written down we risk:
a. someone will use an incompatible value to refer to
the same thing ("igtf slcs", "urn:ogf:glue:ca-bundles:igtf:slcs",
...)
b. someone won't understand what "IGTF-SLCS" means.
HTH,
Paul.
More information about the glue-wg
mailing list