On 2012-11-01 21:49, stephen.burke@stfc.ac.uk wrote:
JP Navarro [mailto:navarro@mcs.anl.gov] said:
First I think it's important to confirm that we indeed have NO uses for this today. Does anyone know of any?
I don't like this approach of "definition by needs". The model specifies what has to be there. If a service does not need that, it simply does not publish it. If the content of the information is not clear, we must clarify it, as we(you) defined the model as well.
glite certainly doesn't because GLUE 1 doesn't have the information at all. And it isn't an issue because in practice sites do just install all the standard CAs - partly because most sites support WLCG and they probably insist that all their CAs are allowed by all sites.
In don't get the point. Since you claim that such information is not used, I don't understand why gLite publishes it at all. I am quite sure infact that such information *is* used, but mostly by monitoring clients, checking that the IGTF string is there.
I can see that there could be special cases where e.g. you have a site with funding specifically for national users,
These "special cases" are ARC middleware's everyday life.
but we shouldn't need to require all sites to publish a large amount of data to support that.
but you know, clients would like to know which clusters to access before kamikaze-probing to open a secure connection to them... So if we do not put this information in the services, clients will have to find out by other means... of just submitting and hoping these CAs are accepted I'd call it "hope discovery algorithm"
Discussing a proposed solution, and even coming to a consensus, doesn't mean we have to change the current GLUE 2 specification.
The specification was intended to cover it already, so at most I would say that it's a clarification. Revising the specification is potentially possible, but as I've said about other things that's something with a multi-year timescale which can't alter what we have in production now.
There is no need at all to clarify the specification, I agree; let's just make clear how an information consumer should react when finding such information. Please explain how do gLite clients understand what are the TrustedCAs that such label represents, if they do. I'll be happy to produce any solution from that. Cheers, -- Florido Paganelli Lund University - Particle Physics ARC Middleware EMI Project