Our SSL CA Configuration
Ti Leggett
leggett at mcs.anl.gov
Thu May 8 10:35:26 CDT 2003
This is true, but I don't think we want to be in the full fledged CA
business and having them separate puts quite a burden on us to get CSRs
signed and I think part of this is to not only make it easier for the
end user to get a cert but also to make it easier for us to sign them.
But that's why I got the discussion going :)
On Thu, 2003-05-08 at 10:31, Robert Olson wrote:
> it depends mostly on the level of trust we expect people to have in the
> server. I'd argue for making them separate, if only because that is a
> well-known configuration that gives a big boost in the security of the
> overall system.
>
> --bob
>
> At 10:18 AM 5/8/2003 -0500, Ti Leggett wrote:
> >Continuing on. Does anyone have strong feelings against putting the CA
> >and RA on the same server? There's several things we can do to lock down
> >the CA side of things, but it just makes life a little easier if we do
> >this.
> >
> >On Wed, 2003-05-07 at 13:45, Ti Leggett wrote:
> > > I'm trying to sort through the hierarchy of what we want our CA to look
> > > like and what we'll be signing. Those things with (CA) are CA's and are
> > > responsible for signing underneath them. Tell me if this looks correct:
> > >
> > > /O=Access Grid/ (CA)
> > > |
> > > +- /O=Access Grid/OU=Developers/
> > > | |
> > > | +- /O=Access Grid/OU=Developers/CN=Ti Leggett
> > > |
> > > +- /O=Access Grid/OU=Services/
> > > | |
> > > | +- /O=Access Grid/OU=Services/CN=AGNodeService/scraz.mcs.anl.gov
> > > |
> > > +- /O=SCGlobal2003/ (CA)
> > > | |
> > > | +- /O=SCGlobal2003/OU=Participant/
> > > | | |
> > > | | +- /O=SCGlobal2003/OU=Participant/CN=Ti Leggett/
> > > | ...
> > > |
> > > +- /O=Access Grid Anonymous/ (CA)
> > > |
> > > +- /O=Access Grid Anonymous/OU=User/
> > > | |
> > > | + /O=Access Grid Anonymous/OU=User/CN=Anonymous User/
> > > |
> > > +- /O=Access Grid Anonymous/OU=Service/
> > > |
> > > +- /O=Access Grid
> > > Anonymous/OU=Service/CN=AGNodeService/localhost
> > >
> > > Is this what we're looking at?
> > >
>
More information about the ag-dev
mailing list