Fwd: Re: CA policy for Globus CA

Robert Olson olson at mcs.anl.gov
Tue Mar 11 12:12:46 CST 2003


>Date: Tue, 11 Mar 2003 11:50:21 -0600
>From: "Douglas E. Engert" <deengert at anl.gov>
>X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
>X-Accept-Language: en
>To: Robert Olson <olson at mcs.anl.gov>, security-internal at globus.org
>Subject: Re: CA policy for Globus CA
>X-Spam-Status: No, hits=0.8 required=5.0 tests=SIGNATURE_DELIM version=2.21
>X-Spam-Level:
>X-Whitelist-by-bob: yes
>
>
>
>Robert Olson wrote:
> >
> > Hi Doug -
> >
> > is the CA certificate-issuing policy available online somewhere? We're
> > curious about the details of it.
>
>No it is not. The Globus CA was designed to get people off the ground, and 
>should have
>been shutdown years ago, and so the policies where never formally written. 
>Note that the
>CA certificate is due to expire in January, 2004 having been exteneded 
>another year.
>We have talked from time to time on how to phase it out.
>
>The closest thing to a policy would be the statements I send
>
>
>  The Globus Project(tm) is a research project funded mostly by the U.S.
>government. It is open mostly to researchers in government and education
>institutions, but there are also some in the commercial sector. We would 
>like to
>have the researchers identify themselves in some way with these institutions.
>
>  Requests for certificates must be mailed from an e-mail address which
>is associated with the name in the certificate. This means that you must
>send the e-mail from the same domain as listed in the certificates. Use
>of e-mail address from ISPs for example: hotmail.com, yahoo.com or 163.com
>or from other organizations will not be accepted.
>
>  We need requests for certificates sent from a real e-mail address
>associated with your DNS domain.
>
>The OU=domain name in a user certificate is used to identify the domain of 
>the user,
>not the domain from which the certificate was created. You can use the 
>-int option
>of the grid-cert-request to allow you to specify a different domain. This
>can be used by outside users to run the grid-cert-request but request a domain
>name of their home domain, where they receive e-mail.
>
>
>
>And I send this as well in a FAQ:
>
>You can use the Globus CA, but the Globus CA issues certificates based on
>the assumption that you will be using these certificates on the internet.
>Or even if not on the internet today, the certificates could be used on 
>the internet
>in the future. Certificates names issued by the CA must be unique. The 
>Globus CA does
>this by adding a DNS domain to the user certificate and the FQDN of the 
>host to
>the server certificate.
>
>The Globus CA issues certificates to e-mail addresses associated with the 
>domain.
>This keeps someone in one organization from requesting certificates for 
>another
>organization. You prove this association by sending the request and 
>receiving the
>certificate  using an e-mail address associated with the domain.  (ISPs, like
>hotmail.com, or 163.net are not acceptable.)
>
>The domain used does not actually have to exist, but it must be a sub 
>domain of your
>organization.  For example you could use a domain, like 
>my.private.myuniversity.edu
>and send the requests from user at mail.myuniversity.edu.
>
>
>
>
>
> >
> > thanks,
> > --bob
>
>--
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444




More information about the ag-dev mailing list