Tuesday, 14 February 2012

On email addresses in distinguished names

Those of you who are sysadmins know we have email addresses in host certificates, in their distinguished names (DNs).  The origin of this decision is lost in the mists of time - it certainly pre-dates the UK e-Science CA - I seem to remember something about host certificates being used as clients and the email address of the contact appearing in the log file, as a forerunner of "robot" certificates - which can't quite be right because initially we did not give host certificates client extensions. But hosts have been used in this way to implement portals.

In any case, the practice is now deprecated, mainly because much of our software (strictly speaking incorrectly) depends on the string representation of the DN, and different software stringifies emailaddress in different ways. We have been meaning to get rid of it for a while, waiting only for some code changes and an update to the policy.

In fact the policy needs updating because in a (very small) number of cases we are doing things that are not consistent with the policy - but which are nonetheless wholly consistent with IGTF. Actually the only examples I can think of is that we have permitted two "software robots," a practice which is permitted by IGTF now but wasn't when our policy was written.

The proposal is now that we remove email addresses from DNs, before the policy rewrite is finished (its about 2/3 done since you ask.) Removing email addresses is clearly consistent with IGTF, but deviates from our historical practice of  preserving the end entity DN across all generations of CA certificates. Having an out of date policy is of course not consistent with IGTF...

The trouble is, how do we know whether people depend on the email address in the DN?  We have no way of knowing how the certificates are being used. Of course we could take the approach that if the certificate is being used for unsupported purposes, then you're on your own. OTOH, we have usually strived not to do that, even if grid software makes that quite difficult (see GFD.125 again, or every rollover).

So we need to leave it to the "owner" of the certificate to decide. The easiest way of doing this is JK's proposal, that we remove email address from new certificates, but keep them on renewal. For host certificates, getting a new certificate is often the same amount of work as a renewal.  Existing certificates are not affected but if you want your certificate to be affected you could revoke it and get a new one.

And of course all this applies only to hosts, there is no change for personal certificates.

Friday, 10 February 2012

Bits and pieces

It's been one of those weeks with a lot of bits and pieces going on.  Busy and varied is how I'd probably sum it up!

Tuesday was the NGS Collaboration Board meeting which was held at the University of Birmingham thanks to the kind hospitality of Paul Hatton.  The theme of the meeting was reaching out and engaging with potential new communities and existing user communities.  Mike Jones gave a presentation on SaRONGS to show how we are making it easier for people to access grid resources and I gave a presentation on the Campus and Community Champions networks.  Following on neatly from my presentation was Rebecca Notman who is one of our Community Champions.  Rebecca spoke about her role and how the NGS has played a part in her research.  There was also plenty of time for discussion with each of our Collaboration Board members updating us on new and activities from their institutions.  It seems to be a busy time in the world of research computing!

Wednesday was the next seminar in our short series.  This time it was the turn of John Kewley from STFC Daresbury who is the NGS helpdesk manager.  After a few technical issues, John spoke about the Certificate Wizard - a tool that the NGS produced to help people manage their grid certificate more easily and it seems to have worked.  There have been less helpdesk queries regarding certificates since the introduction of the tool.

Yesterday morning I took part in the steering group for the forthcoming Software Sustainability Institute Collaboration Workshop.  This is always a really enjoyable conference as it's 2 days of full interactive discussion and networking.  If you go to a conference to get peace and quiet to read your email then this isn't for you!  Every session is a group discussion session apart from when the groups report back to the conference as a whole.  There are some really interesting topics for discussion this year, all of which have been suggested by the attending delegates.  If you would like to attend and you are a software developer then have a look at this as you may be able to get a free place and a contribution towards your expenses.

Thursday, 2 February 2012

One down two to go

Yesterday saw the first presentation in our short seminar series concentrating on the recent developments in the UK for accessing and managing grid resources.

I'm pleased (and relieved!) to say that it went well with Mike Jones from the University of Manchester giving a presentation on "Shibboleth Access to Resources on the NGS".  We had 28 individuals join us on Evo from all over the world including Russia, Italy, USA and Switzerland.  It was good to see that our seminar was of interest to people internationally as well.

The next seminar will take place on Wednesday 8th Feb at 10.30am (GMT) and will be looking at the Certificate Wizard which makes it easier for users to manage their certificates.  If you would like to take part in the seminar either by Access Grid or Evo then please see the event listing on our website.  You can also RSVP on our Facebook event page.

The seminars have been recorded and it is our aim to have these recordings available on the NGS website at the end of the seminar series.