[wg-all] Certificate updates for forge.ogf.org and www.ogf.org

[Alan Sill]

Dear OGF colleagues,

You may or may not have noticed, but we have put in new high-grade  
commercial certificates from DigiCert to handle the https portions of  
access to the forge and www portions of the Open Grid Forum web  
presence.

Using secure access allows us to protect your login credentials when  
you access the user account-protected portions of our collaborative  
tools.  It also allows you to be sure you are fetching material from  
our site, and not an impostor, when you access our code repositories  
and other download features, helping to prevent the potential for OGF  
features to become an inadvertent vector for transmission of malware  
or infected code.

The web site certificates should resolve and validate in all modern  
browsers.  If you are curious, you can click on the certificate icon  
in the lower right-hand corner of any protected pages to see the steps  
used to verify us.  This means that you can delete any previously  
saved self-signed certificates for OGF if you want to (although  
leaving them in should be harmless).

We are working on documenting needed steps for allowing you to trust  
the new certificates in command-line and graphical code client tools  
for accessing the code repositories.  These vary by client, and some  
have various settings for enabling automatic validation via the usual  
"trusted CA" stores.  For now, until we have all of the details to  
share with you, there is an easy way to decide whether to add the site  
certificate for GridForge to your locally trusted list: simply visit https://forge.org.org 
  in your browser and use your browser's inspection tools - typically  
accessed by clicking on the icon that indicates a trusted https site -  
to inspect the certificate and take note of its fingerprint.  This  
should match the one being presented when you access the repository.

An example for command-line subversion access is given at the end of  
this message.  (It is possible to avoid this message by making certain  
settings in your ~/.subversion/servers file, but this illustrates  
nicely how to check a fingerprint.)

We hope this helps to improve the security of your access to the OGF  
tools.  As a reminder, we are looking for volunteers to work with  
those who have stepped forward so far to join an effort to improve the  
range and type of tools used to support the IT needs of the OGF  
community.  If you are interested in helping, please send a message to  
Joel Replogle, myself or Andre Merzky, who is leading this effort.

Thanks to DigiCert for providing the new EV certs, and we welcome them  
to the Silver sponsorship level for OGF.

Alan

Alan Sill, Ph.D
Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics, TTU
Vice President of Standards, Open Grid Forum

====================================================================
:  Alan Sill, Texas Tech University  Office: Drane 162, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-834-5940  fax 806-834-4358  :
====================================================================


Example with svn command line:

$ svn checkout --username (your-user-name-here) https://forge.ogf.org/svn/repos/(your-work-group-here)
Error validating server certificate for 'https://forge.ogf.org:443':
  - The certificate is not issued by a trusted authority. Use the
    fingerprint to validate the certificate manually!
Certificate information:
  - Hostname: forge.ogf.org
  - Valid: from Thu, 02 Feb 2012 06:00:00 GMT until Thu, 06 Feb 2014  
18:00:00 GMT
  - Issuer: www.digicert.com, DigiCert Inc, US
  - Fingerprint: (It should put out a fingerprint here.)
(R)eject, accept (t)emporarily or accept (p)ermanently?

(Compare the fingerprint in the output to the one listed for SHA1 in  
the OGF GridForge certificate.  If they match, it should be OK to  
accept the certificate in your client.)