[wg-all] Certificate updates for forge.ogf.org and www.ogf.org
Alan Sill
alan.sill at ttu.edu
Fri Feb 3 19:28:23 EST 2012
Dear OGF colleagues,
You may or may not have noticed, but we have put in new high-grade
commercial certificates from DigiCert to handle the https portions of
access to the forge and www portions of the Open Grid Forum web
presence.
Using secure access allows us to protect your login credentials when
you access the user account-protected portions of our collaborative
tools. It also allows you to be sure you are fetching material from
our site, and not an impostor, when you access our code repositories
and other download features, helping to prevent the potential for OGF
features to become an inadvertent vector for transmission of malware
or infected code.
The web site certificates should resolve and validate in all modern
browsers. If you are curious, you can click on the certificate icon
in the lower right-hand corner of any protected pages to see the steps
used to verify us. This means that you can delete any previously
saved self-signed certificates for OGF if you want to (although
leaving them in should be harmless).
We are working on documenting needed steps for allowing you to trust
the new certificates in command-line and graphical code client tools
for accessing the code repositories. These vary by client, and some
have various settings for enabling automatic validation via the usual
"trusted CA" stores. For now, until we have all of the details to
share with you, there is an easy way to decide whether to add the site
certificate for GridForge to your locally trusted list: simply visit https://forge.org.org
in your browser and use your browser's inspection tools - typically
accessed by clicking on the icon that indicates a trusted https site -
to inspect the certificate and take note of its fingerprint. This
should match the one being presented when you access the repository.
An example for command-line subversion access is given at the end of
this message. (It is possible to avoid this message by making certain
settings in your ~/.subversion/servers file, but this illustrates
nicely how to check a fingerprint.)
We hope this helps to improve the security of your access to the OGF
tools. As a reminder, we are looking for volunteers to work with
those who have stepped forward so far to join an effort to improve the
range and type of tools used to support the IT needs of the OGF
community. If you are interested in helping, please send a message to
Joel Replogle, myself or Andre Merzky, who is leading this effort.
Thanks to DigiCert for providing the new EV certs, and we welcome them
to the Silver sponsorship level for OGF.
Alan
Alan Sill, Ph.D
Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics, TTU
Vice President of Standards, Open Grid Forum
====================================================================
: Alan Sill, Texas Tech University Office: Drane 162, MS 4-1167 :
: e-mail: Alan.Sill at ttu.edu ph. 806-834-5940 fax 806-834-4358 :
====================================================================
Example with svn command line:
$ svn checkout --username (your-user-name-here) https://forge.ogf.org/svn/repos/(your-work-group-here)
Error validating server certificate for 'https://forge.ogf.org:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: forge.ogf.org
- Valid: from Thu, 02 Feb 2012 06:00:00 GMT until Thu, 06 Feb 2014
18:00:00 GMT
- Issuer: www.digicert.com, DigiCert Inc, US
- Fingerprint: (It should put out a fingerprint here.)
(R)eject, accept (t)emporarily or accept (p)ermanently?
(Compare the fingerprint in the output to the one listed for SHA1 in
the OGF GridForge certificate. If they match, it should be OK to
accept the certificate in your client.)
More information about the wg-all
mailing list