Scott Rea writes:
Using AKI is definitely recommended for Bridging - it makes it easier to discover appropriate paths. The SURA documentation is not advising against this, they are in fact recommending that you do use it - but use the keyid version rather than the dirname version.
I believe we are (or should be) recommending the same thing in the profile; the directory name version usage has led to problems with CA key rollover.
AKI can be populated with multiple values, SURA recommends that you simply use the keyid value only as this works with the bridge and the globus software as they have configured it.
Regards, -Scott
Mike 'Mike' Jones wrote:
Hi folks,
I've just been asked to add an LSU grid certificate to one of our servers. We sometimes do things like this as a special case reading the CP/CPS where available. However, that's not the point of this email!
Poking around the web for details of the "/O=Louisiana State University/OU=CCT/OU=ca.cct.lsu.edu/CN=CCT CA" Certificate Authority I came across the SURAgrid bridge CA. In their documentation they advise _against_ using the Authority Key Identifier (for obvious reasons). The Grid Certificate Profile draft currently recommends that AKID be used (table in section 2.4). Might it be appropriate for us to add a note that by doing this one essentially removes the possibility for joining a bridging scheme such as https://www.pki.virginia.edu/nmi-bridge/ ?
Cheers, Mike ------------------------------------------------------------------------
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg
-- Scott Rea Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI Architect Peter Kiewit Computing Services Dartmouth College 058 Sudikoff, HB 6238 Hanover, NH 03755
Em: Scott.Rea@Dartmouth.edu Ph#(603) 646-0968 Ot#(603) 646-9181 Fx#(603) 646-9019 Ce#(603) 252-7339
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg