Our SSL CA Configuration

Robert Olson olson at mcs.anl.gov
Thu May 8 10:47:57 CDT 2003 

If we put it on the net we may as well make it the same machine.

At 10:44 AM 5/8/2003 -0500, Ti Leggett wrote:
>Just thinking. If we do go with separate machines, can we at least make
>the CA side on the net to get rid of the walking/floppy hassle?
>
>On Thu, 2003-05-08 at 10:35, Ti Leggett wrote:
> > This is true, but I don't think we want to be in the full fledged CA
> > business and having them separate puts quite a burden on us to get CSRs
> > signed and I think part of this is to not only make it easier for the
> > end user to get a cert but also to make it easier for us to sign them.
> > But that's why I got the discussion going :)
> >
> > On Thu, 2003-05-08 at 10:31, Robert Olson wrote:
> > > it depends mostly on the level of trust we expect people to have in the
> > > server. I'd argue for making them separate, if only because that is a
> > > well-known configuration that gives a big boost in the security of the
> > > overall system.
> > >
> > > --bob
> > >
> > > At 10:18 AM 5/8/2003 -0500, Ti Leggett wrote:
> > > >Continuing on. Does anyone have strong feelings against putting the CA
> > > >and RA on the same server? There's several things we can do to lock down
> > > >the CA side of things, but it just makes life a little easier if we do
> > > >this.
> > > >
> > > >On Wed, 2003-05-07 at 13:45, Ti Leggett wrote:
> > > > > I'm trying to sort through the hierarchy of what we want our CA 
> to look
> > > > > like and what we'll be signing. Those things with (CA) are CA's 
> and are
> > > > > responsible for signing underneath them. Tell me if this looks 
> correct:
> > > > >
> > > > > /O=Access Grid/ (CA)
> > > > >   |
> > > > >   +- /O=Access Grid/OU=Developers/
> > > > >   |  |
> > > > >   |  +- /O=Access Grid/OU=Developers/CN=Ti Leggett
> > > > >   |
> > > > >   +- /O=Access Grid/OU=Services/
> > > > >   |  |
> > > > >   |  +- /O=Access Grid/OU=Services/CN=AGNodeService/scraz.mcs.anl.gov
> > > > >   |
> > > > >   +- /O=SCGlobal2003/ (CA)
> > > > >   |  |
> > > > >   |  +- /O=SCGlobal2003/OU=Participant/
> > > > >   |  |  |
> > > > >   |  |  +- /O=SCGlobal2003/OU=Participant/CN=Ti Leggett/
> > > > >   |  ...
> > > > >   |
> > > > >   +- /O=Access Grid Anonymous/ (CA)
> > > > >      |
> > > > >      +- /O=Access Grid Anonymous/OU=User/
> > > > >      |  |
> > > > >      |  + /O=Access Grid Anonymous/OU=User/CN=Anonymous User/
> > > > >      |
> > > > >      +- /O=Access Grid Anonymous/OU=Service/
> > > > >         |
> > > > >         +- /O=Access Grid
> > > > > Anonymous/OU=Service/CN=AGNodeService/localhost
> > > > >
> > > > > Is this what we're looking at?
> > > > >
> > >
> >

More information about the ag-dev mailing list