Certificate Management stuff
Robert Olson
olson at mcs.anl.gov
Wed Jan 28 11:39:24 CST 2004
At 11:28 AM 1/28/2004, Ivan R. Judson wrote:
>In that case, should the commits to pyopenssl be considered not important
>yet? Or are they things we need to worry about for the next release? I'm
>hoping to have matt's mods to pyGlobus include the openssl/pyopenssl api
>extensions we've been using to date and to not have to package and
>distribute the following (based on previous conversations):
>
>Pydns
>Openssl
(it's a nit but) I don't think we've been distributing openssl.
>Pyopenssl
>Putty (for windows)
>
>And get down to distributing only:
>
>Pyglobus
>GT
>Logging (only if necessary)
>
>Plus obviously our software.
>
>Are we on track for that? It significantly simplifies our release
>engineering work, and pares things down so we're not branching other peopls
>work and accepting responsibility for more software than we need to.
There are two sets of changes.
One, which is complete but not checked in because of the changes to
pyGlobus (I don't want to break everyone's dev environment; if we can get
new pyGlobus built and installed everywhere folks do development on I'll
get them in) adds host/service cert support and a lot more sanity checking
on the proxy creation process to address problems I've seen come up in bug
reports.
The other is the stuff I'm looking into for supporting online CA / myProxy
flavored stuff that requires full support for creating and signing
certificate requests programmatically; this has caused the latest round of
changes to the pyOpenSSL side of things. We don't necessarily need to have
this rolled into the next release, but I'm trying to figure out if there is
foundational stuff that will be required to make it possible more easily
later on.
I wonder if it'd be reasonable to just roll pyOpenSSL as is into pyGlobus,
or at least the chunks that do x509 certificate processing. The work has
already been done, and it's LGPL code. I don't care either way, just that
not doing that would be a rote replication of the work already there.
I need to check back on what's up with the GLOBUS_HOSTNAME determination
stuff; I think the pyDns requirement may be out already but i've not looked
lately.
--bob
More information about the ag-dev
mailing list