Our SSL CA Configuration

Ti Leggett leggett at mcs.anl.gov
Thu May 8 10:59:59 CDT 2003 

I'm just throwing ideas out on how to make it easier on us because I
think if we don't think about it, it will be a great big hassle. Here's
some numbers. It takes about 1.5-2 mins to write the CSRs to a floppy.
It takes about 1.5-2 mins to walk to the BMR and get the floppy. It
takes another 1.5-2 mins to read the CSRs from the floppy. It takes
about 1-2 mins per CSR to sign. It takes about a minute to send the
email notifying of signed certs. Taking the worst case scenario that the
RA server is in the BMR and the CA is in my office and you have one CSR
to sign.

2 mins to approve the req and write to floppy
2 mins to walk to BMR to get floppy
2 mins to walk to the CA
2 mins to read the floppy data
2 mins to sign the CSR
2 mins to write the cert to floppy
2 mins to walk to BMR
2 mins to read the data off of floppy
1 mins to email cert approval
17 mins for full process

Now consider that we say we'll sign certs in 2 days and worst case
scenario. Everyone on the AG Dev team request 1 user cert every 2 days.
We're constantly walking to the BMR to sign these certs. That's not
including that many people will be generating service certs for their
laptops and host and service certs for their nodes. Considering we have
100 sites right now that's at most 500 service certs alone (assuming all
hundred are 4 machine nodes) not including 100 node ops + any users at
those sites that want certs as well. These will trickle in, based on
what I've seen, at about 3-4 CSR a day. I just think it's too much
overhead on our part to go through all this when we're saying certs we
sign aren't to be trusted as gospel anyway. Just my 2c.

p.s.
This problem affects any CA solution we go with.

On Thu, 2003-05-08 at 10:47, Robert Olson wrote:
> If we put it on the net we may as well make it the same machine.
> 
> At 10:44 AM 5/8/2003 -0500, Ti Leggett wrote:
> >Just thinking. If we do go with separate machines, can we at least make
> >the CA side on the net to get rid of the walking/floppy hassle?
> >
> >On Thu, 2003-05-08 at 10:35, Ti Leggett wrote:
> > > This is true, but I don't think we want to be in the full fledged CA
> > > business and having them separate puts quite a burden on us to get CSRs
> > > signed and I think part of this is to not only make it easier for the
> > > end user to get a cert but also to make it easier for us to sign them.
> > > But that's why I got the discussion going :)
> > >
> > > On Thu, 2003-05-08 at 10:31, Robert Olson wrote:
> > > > it depends mostly on the level of trust we expect people to have in the
> > > > server. I'd argue for making them separate, if only because that is a
> > > > well-known configuration that gives a big boost in the security of the
> > > > overall system.
> > > >
> > > > --bob
> > > >
> > > > At 10:18 AM 5/8/2003 -0500, Ti Leggett wrote:
> > > > >Continuing on. Does anyone have strong feelings against putting the CA
> > > > >and RA on the same server? There's several things we can do to lock down
> > > > >the CA side of things, but it just makes life a little easier if we do
> > > > >this.
> > > > >
> > > > >On Wed, 2003-05-07 at 13:45, Ti Leggett wrote:
> > > > > > I'm trying to sort through the hierarchy of what we want our CA 
> > to look
> > > > > > like and what we'll be signing. Those things with (CA) are CA's 
> > and are
> > > > > > responsible for signing underneath them. Tell me if this looks 
> > correct:
> > > > > >
> > > > > > /O=Access Grid/ (CA)
> > > > > >   |
> > > > > >   +- /O=Access Grid/OU=Developers/
> > > > > >   |  |
> > > > > >   |  +- /O=Access Grid/OU=Developers/CN=Ti Leggett
> > > > > >   |
> > > > > >   +- /O=Access Grid/OU=Services/
> > > > > >   |  |
> > > > > >   |  +- /O=Access Grid/OU=Services/CN=AGNodeService/scraz.mcs.anl.gov
> > > > > >   |
> > > > > >   +- /O=SCGlobal2003/ (CA)
> > > > > >   |  |
> > > > > >   |  +- /O=SCGlobal2003/OU=Participant/
> > > > > >   |  |  |
> > > > > >   |  |  +- /O=SCGlobal2003/OU=Participant/CN=Ti Leggett/
> > > > > >   |  ...
> > > > > >   |
> > > > > >   +- /O=Access Grid Anonymous/ (CA)
> > > > > >      |
> > > > > >      +- /O=Access Grid Anonymous/OU=User/
> > > > > >      |  |
> > > > > >      |  + /O=Access Grid Anonymous/OU=User/CN=Anonymous User/
> > > > > >      |
> > > > > >      +- /O=Access Grid Anonymous/OU=Service/
> > > > > >         |
> > > > > >         +- /O=Access Grid
> > > > > > Anonymous/OU=Service/CN=AGNodeService/localhost
> > > > > >
> > > > > > Is this what we're looking at?
> > > > > >
> > > >
> > >
>

More information about the ag-dev mailing list