Our SSL CA Configuration
Robert Olson
olson at mcs.anl.gov
Thu May 8 10:31:02 CDT 2003
it depends mostly on the level of trust we expect people to have in the
server. I'd argue for making them separate, if only because that is a
well-known configuration that gives a big boost in the security of the
overall system.
--bob
At 10:18 AM 5/8/2003 -0500, Ti Leggett wrote:
>Continuing on. Does anyone have strong feelings against putting the CA
>and RA on the same server? There's several things we can do to lock down
>the CA side of things, but it just makes life a little easier if we do
>this.
>
>On Wed, 2003-05-07 at 13:45, Ti Leggett wrote:
> > I'm trying to sort through the hierarchy of what we want our CA to look
> > like and what we'll be signing. Those things with (CA) are CA's and are
> > responsible for signing underneath them. Tell me if this looks correct:
> >
> > /O=Access Grid/ (CA)
> > |
> > +- /O=Access Grid/OU=Developers/
> > | |
> > | +- /O=Access Grid/OU=Developers/CN=Ti Leggett
> > |
> > +- /O=Access Grid/OU=Services/
> > | |
> > | +- /O=Access Grid/OU=Services/CN=AGNodeService/scraz.mcs.anl.gov
> > |
> > +- /O=SCGlobal2003/ (CA)
> > | |
> > | +- /O=SCGlobal2003/OU=Participant/
> > | | |
> > | | +- /O=SCGlobal2003/OU=Participant/CN=Ti Leggett/
> > | ...
> > |
> > +- /O=Access Grid Anonymous/ (CA)
> > |
> > +- /O=Access Grid Anonymous/OU=User/
> > | |
> > | + /O=Access Grid Anonymous/OU=User/CN=Anonymous User/
> > |
> > +- /O=Access Grid Anonymous/OU=Service/
> > |
> > +- /O=Access Grid
> > Anonymous/OU=Service/CN=AGNodeService/localhost
> >
> > Is this what we're looking at?
> >
More information about the ag-dev
mailing list