Certificate Management stuff

Robert Olson olson at mcs.anl.gov
Wed Jan 28 11:39:24 CST 2004 

At 11:28 AM 1/28/2004, Ivan R. Judson wrote:

>In that case, should the commits to pyopenssl be considered not important
>yet? Or are they things we need to worry about for the next release? I'm
>hoping to have matt's mods to pyGlobus include the openssl/pyopenssl api
>extensions we've been using to date and to not have to package and
>distribute the following (based on previous conversations):
>
>Pydns
>Openssl

(it's a nit but) I don't think we've been distributing openssl.

>Pyopenssl
>Putty (for windows)
>
>And get down to distributing only:
>
>Pyglobus
>GT
>Logging (only if necessary)
>
>Plus obviously our software.
>
>Are we on track for that? It significantly simplifies our release
>engineering work, and pares things down so we're not branching other peopls
>work and accepting responsibility for more software than we need to.

There are two sets of changes.

One, which is complete but not checked in because of the changes to 
pyGlobus (I don't want to break everyone's dev environment; if we can get 
new pyGlobus built and installed everywhere folks do development on I'll 
get them in) adds host/service cert support and a lot more sanity checking 
on the proxy creation process to address problems I've seen come up in bug 
reports.

The other is the stuff I'm looking into for supporting online CA / myProxy 
flavored stuff that requires full support for creating and signing 
certificate requests programmatically; this has caused the latest round of 
changes to the pyOpenSSL side of things. We don't necessarily need to have 
this rolled into the next release, but I'm trying to figure out if there is 
foundational stuff that will be required to make it possible more easily 
later on.

I wonder if it'd be reasonable to just roll pyOpenSSL as is into pyGlobus, 
or at least the chunks that do x509 certificate processing. The work has 
already been done, and it's LGPL code. I don't care either way, just that 
not doing that would be a rote replication of the work already there.

I need to check back on what's up with the GLOBUS_HOSTNAME determination 
stuff; I think the pyDns requirement may be out already but i've not looked 
lately.

--bob

More information about the ag-dev mailing list