Hi Dennis.

Running the LMU-LRZ Tier-2 this is quite good news, however..


On Thu, 2012-03-29 at 23:29 +0200, Dennis van Dok wrote:
>  The certificates are kept in /usr/share/igtf-policy/ and
>  /usr/share/ca-certificates/igtf-*/.
Why two locations (i.e. why the one outside
of /usr/share/ca-certificates/)


>  They are meant to be placed in
>  /etc/grid-security/certificates, where the commonly used grid middleware
>  will look for it; it is also possible to include (some of) the certificates
>  in /etc/ssl/certs by using dpkg-reconfigure ca-certificates.
Well here the problems start, IMHO.
I always considered the whole /etc/grid-security/ quite broken and not
more than a quite and dirty hack to ease up life with multiple grid
apps.

It more or less contradicts the way certificates are meant to be handled
in Debian (i.e. ca-certificates).
Are you going to automatically create /etc/grid-security/certificates
and put links in there?

Will it be possible to configure only selected CAs?

Will you integrated into ca-certificates (i.e. which certs-get enabled
and not)?
Probably not all certificates in IGTF should show up in what
ca-certificates creates (i.e. SLCS and MLCS).


btw: Are you going to provide backports or better said "volatile"
support?


When you're from NIKHEF you can probably easily get David's OpenPGP key
in a secure way to add only securely downloaded igtf bundles to
Debian :)


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to