CA issues

[Robert Olson]

we talked this morning about setting up OpenCA or a globus SimpleCA for 
doing anonymous cert stuff, and leading up to issuing AG certs for AG 
development folk.

Question 1: Do we do OpenCA or a simple CA. Installation of OpenCA these 
days should be fairly straightforward. We have a couple machines 
(fl-raserver and fl-caserver) that I've used for experimentation on in the 
past; Ti would know state of machine juggle for those. Or we could just set 
up an outmoded machine for one or the other (they don't need to be very 
beefy at all). If we want to be really secure about it, the ca server box 
would be offnet and cert signing info would pass between the to via floppy.

In either case, we would need to create a self-signed CA cert, keep the 
private key really private, and publish the public cert (and include in the 
Globus releases we do).

--bob