[glue-wg] Endpoint.TrustedCA and ComputingEndpoint.TrustedCA Inconsistency in GFD147
Florido Paganelli
florido.paganelli at hep.lu.se
Fri Nov 2 07:04:13 EDT 2012
On 2012-11-02 10:27, stephen.burke at stfc.ac.uk wrote:
> Florido Paganelli [mailto:florido.paganelli at hep.lu.se] said:
> > ARC clients use this information for selection and brokering of CEs. We used
>> to have a similar approach in NorduGrid schema. ARC infosystem is a crucial
>> part of the infrastructure, we really rely on what is published there.
>
> In practice do you have cases where some users in a VO can't use a particular
> resource because their CA is not allowed, while other users can?
>
> Stephen
>
I launched a quick survey on NorduGrid communication channels and the
answer to your question is NO, the clusters joining well know scientific
experiments using grid that are part of EGI and the like do not filter.
However I recently heard of France filtering out Iranian CAs on some
clusters, and I am quite sure in the US are picky about who to trust either.
Did you hear about that so far? I don't know how they solved it.
Then I also asked the following:
"Is it common to filter or customize the allowed CAs on several clusters?"
And the answer was YES from different sites because of special training
CAs that are put in place during training session for those who do not
have a grid certificate and should just use selected clusters.
In the above, ARC clients would be able to submit only to those clusters
holding the correct CA by checking TrustedCA, wherever they are, without
the need of hardcoding the target cluster somewhere. Very nice
autodiscovery.
In principle in such scenario one could have both the IGTF string AND a
list of allowed CAs in TrustedCA.
I am, however, still puzzled on how a client should find out what are
the CAs allowed on that cluster by just reading a plain string and not a
DN...
Cheers,
--
Florido Paganelli
Lund University - Particle Physics
ARC Middleware
EMI Project
More information about the glue-wg
mailing list