PR stage for SSO Basic Authentication

Guy Rixon guyrixon at gmail.com
Sat Jul 7 04:30:11 PDT 2007 

Hi folks,

below are URLs for the root certificates currently used by AstroGrid  
users.

Local, community CA at IoA Cambridge:

http://ag01.ast.cam.ac.uk:8081/astrogrid.cam-community/certificates/ 
2c8f8e16.0

This is a test community, currently with few members. Its root  
certificate is self signed. I expect to grow this community, using  
the same CA, over the next few months. It registers Cambridge users  
only.

Local, community CA for the UKIDSS consortium:

http://hempriggs.roe.ac.uk/ukidss-community/certificates/fc3426d1.0

This is a live community, managed at ROE. Its members are  
international, from those countries having access rights to the  
UKIDSS data. There are issues here regarding SSO. Clearly, a  
community for each resource doesn't work. This will get fixed over  
the next year or so, but for now the community is important to us  
since its members use it for science. It uses a local CA with a self- 
signed certificate.

Old UK e-Science CA:

http://ag01.ast.cam.ac.uk:8081/astrogrid.cam-community/certificates/ 
01621954.0

This is the PMA-affiliated CA for the UK. It used this root  
certificate up to ~2Q2007, so there may be a few EECs around that  
refer back to this. However, this root has been replaced with a newer  
certificate.

New UK e-Science CA:

http://www.grid-support.ac.uk/content/view/182/184/

Note that the new trust-anchor is in two parts: a root and a CA  
certificate. IFAIK, you need both in your store of trust anchors to  
make the chaining work.

There is no "AstroGrid" root certificate, nor is there a "EuroVO"  
root certificate. Therefore communities of AstroGrid users (and  
communities of EuroVO users who use AstroGrid software for user- 
management) will tend to have local CAs with self-signed  
certificates. I expect there to be ~ 6 such communities by 4Q2007.  
There may be a couple of dozen by the end of 2008. *If* this becomes  
unsupportable *in practice*, then AstroGrid will look at the  
alternatives: either getting the community sites set up as RA for a  
grown-up PMA-approved CA (as has been done at ESO) or designating a  
regional (UK/Europe) CA inside the VO (as proposed in Roy's recent  
document). I don't want to get into these complications unless we  
really need to.

Cheers,
Guy


On 6 Jun 2007, at 16:25, Matthew Graham wrote:

> Hi,
>
> I am still intending to announce the opening of the PR stage for  
> this on June 15 (next Friday). How should we  formally demonstrate  
> interoperability of our implementations?
>
>    Cheers,
>
>    Matthew

More information about the grid mailing list