Certificate Management stuff

Ivan R. Judson judson at mcs.anl.gov
Wed Jan 28 11:58:55 CST 2004


Makes a lot of sense, but I think the current priority would be the next
release work. Can you work on this first set of changes? The online stuff
needs to be kicked around (ie discussed among the group) more before we
start putting effort into it.

I agree with the pyOpenSSL strategy and think that's what I've asked matt to
do, effectively, although LGPL will taint their licensing and I'm sure Keith
will have strong objections to a wholesale import if it taints the code.

I've cc'd matt and keith so they can give us input.

--Ivan 

PS -- one important but small thing to make sure we get imported into
pyGlobus is the hostname thing from AccessGrid.hosting.pyGlobus.Utilities (I
think). Since that is generally useful too...

> There are two sets of changes.
> 
> One, which is complete but not checked in because of the 
> changes to pyGlobus (I don't want to break everyone's dev 
> environment; if we can get new pyGlobus built and installed 
> everywhere folks do development on I'll get them in) adds 
> host/service cert support and a lot more sanity checking on 
> the proxy creation process to address problems I've seen come 
> up in bug reports.
> 
> The other is the stuff I'm looking into for supporting online 
> CA / myProxy flavored stuff that requires full support for 
> creating and signing certificate requests programmatically; 
> this has caused the latest round of changes to the pyOpenSSL 
> side of things. We don't necessarily need to have this rolled 
> into the next release, but I'm trying to figure out if there 
> is foundational stuff that will be required to make it 
> possible more easily later on.
> 
> I wonder if it'd be reasonable to just roll pyOpenSSL as is 
> into pyGlobus, or at least the chunks that do x509 
> certificate processing. The work has already been done, and 
> it's LGPL code. I don't care either way, just that not doing 
> that would be a rote replication of the work already there.
> 
> I need to check back on what's up with the GLOBUS_HOSTNAME 
> determination stuff; I think the pyDns requirement may be out 
> already but i've not looked lately.
> 
> --bob 
> 
> 




More information about the ag-dev mailing list