Our SSL CA Configuration
Robert Olson
olson at mcs.anl.gov
Thu May 8 10:47:57 CDT 2003
If we put it on the net we may as well make it the same machine.
At 10:44 AM 5/8/2003 -0500, Ti Leggett wrote:
>Just thinking. If we do go with separate machines, can we at least make
>the CA side on the net to get rid of the walking/floppy hassle?
>
>On Thu, 2003-05-08 at 10:35, Ti Leggett wrote:
> > This is true, but I don't think we want to be in the full fledged CA
> > business and having them separate puts quite a burden on us to get CSRs
> > signed and I think part of this is to not only make it easier for the
> > end user to get a cert but also to make it easier for us to sign them.
> > But that's why I got the discussion going :)
> >
> > On Thu, 2003-05-08 at 10:31, Robert Olson wrote:
> > > it depends mostly on the level of trust we expect people to have in the
> > > server. I'd argue for making them separate, if only because that is a
> > > well-known configuration that gives a big boost in the security of the
> > > overall system.
> > >
> > > --bob
> > >
> > > At 10:18 AM 5/8/2003 -0500, Ti Leggett wrote:
> > > >Continuing on. Does anyone have strong feelings against putting the CA
> > > >and RA on the same server? There's several things we can do to lock down
> > > >the CA side of things, but it just makes life a little easier if we do
> > > >this.
> > > >
> > > >On Wed, 2003-05-07 at 13:45, Ti Leggett wrote:
> > > > > I'm trying to sort through the hierarchy of what we want our CA
> to look
> > > > > like and what we'll be signing. Those things with (CA) are CA's
> and are
> > > > > responsible for signing underneath them. Tell me if this looks
> correct:
> > > > >
> > > > > /O=Access Grid/ (CA)
> > > > > |
> > > > > +- /O=Access Grid/OU=Developers/
> > > > > | |
> > > > > | +- /O=Access Grid/OU=Developers/CN=Ti Leggett
> > > > > |
> > > > > +- /O=Access Grid/OU=Services/
> > > > > | |
> > > > > | +- /O=Access Grid/OU=Services/CN=AGNodeService/scraz.mcs.anl.gov
> > > > > |
> > > > > +- /O=SCGlobal2003/ (CA)
> > > > > | |
> > > > > | +- /O=SCGlobal2003/OU=Participant/
> > > > > | | |
> > > > > | | +- /O=SCGlobal2003/OU=Participant/CN=Ti Leggett/
> > > > > | ...
> > > > > |
> > > > > +- /O=Access Grid Anonymous/ (CA)
> > > > > |
> > > > > +- /O=Access Grid Anonymous/OU=User/
> > > > > | |
> > > > > | + /O=Access Grid Anonymous/OU=User/CN=Anonymous User/
> > > > > |
> > > > > +- /O=Access Grid Anonymous/OU=Service/
> > > > > |
> > > > > +- /O=Access Grid
> > > > > Anonymous/OU=Service/CN=AGNodeService/localhost
> > > > >
> > > > > Is this what we're looking at?
> > > > >
> > >
> >
More information about the ag-dev
mailing list