Pinging the CA-Ops group on both of the issues raised by Mike below. (Similar message on item 2 already sent to the IGTF list just now separately.) Alan On Nov 10, 2006, at 2:08 PM, Mike Helm wrote:
I haven't had time to get back to this for more review, but 2 things: (1) name constraints. We need to say something about this. My understanding is that most grid middleware and many if not all applications will not be able to deal with name constraints (it's a critical extension, and most software doesn't know how to interpret it, and there are continuing problems with the PKIX interpretation rules).
I was also told recently both that openssl had name constraint capability now, and that it didn't work.
I think what we need to say is that this extension cannot (must not) be used currently in Grid middleware. Perhaps that could be should not, since a "private" grid might be able to pick & control x.509 software that can cope with name constraints.
(It's also useless, except in networks of CA's, but we probably don't need to get into that.)
(2) A subscriber asks about key usage settings for client & server (this is the NS cert type extension, not the other possibility). We set both for people - in the old days in Grids, people set up one off servers with personal certs, and so it was a "requirement". We are currently recommending not to use NS types at all; does this need refining?
Thanks, ==mwh
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg
Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ==================================================================== Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================