Friday, 8 February 2008


People's v-p-inits stopped working - from the CERN VOMS. Turns out the UK CA certs had been taken out, in the mistaken belief they had been revoked... Without consulting me, of course. Apart from a flurry of email, I called Remi this morning asking him to put them back and he said he'd do that today.

It was the root cert that was "suspected compromised" (but not "compromised", which is why we're ok for now - a resourceful attacker would need O(years) to do something with an encrypted key). And the e-Science CA itself was fine.

Eventually we may need to do something more to get people off the old CA chain. Certain relying parties (in a certain large country) have expressed concerns, which, even if there is no compelling technical reason to be concerned, may need addressing. We can re-sign old certificates under the new chain (so you keep your private key - we can do that), or just ask people to renew a bit earlier. But if and when any such things should happen you'd know about it because I would tell you!

We also talked about the rollover registration problem, I'll follow up on that.

Wednesday, 6 February 2008

evo on osX

GridPP uses the evo software for most of its videoconference meetings. It normally works pretty well (espcially when compared to VRVS / Access Grid) and the audio on my mac laptop is suprisingly good without the need of a headset.

However, todays java web start did an upgrade to 1.0.8 and broke the video client - it just refused to start.

Problem is caused by an incorrect shell script test in ~/.Koala/plugins/ViEVO/ViEVO

if [ "$OSTYPE" -ne "darwin9.0" ]; then
should be
if [ "$OSTYPE" != "darwin9.0" ]; then

and all works fine. RT Ticket [ #2615] has been raised with the developers.

Monday, 4 February 2008

Out in the big world

Thought I'd start blogging some CA stuff because a lot of things happen which you may not otherwise hear about (or indeed care about, but at least you have the option). CAs are kind of operational so I thought it fits OK here. It ain't storage, that I know (except see below).

Starting in the big world, we now have Ukraine and Morocco on board. I was a reviewer for both. Much of my review work (specifically travel to the meetings) is funded by GridPP, so we can count this as yet another GridPP contribution to the global grid, I'd have thunk. If that helps.

Anyway, a review often takes many iterations (I counted nine with someone, Mexico I think, and we're still not quite done), and the whole process from being a glint in someone's eye to being a fully accredited CA can take years. There is usually two reviewers, occasionally three, all of whom need to say "aye". There is some grumbling - particularly in a certain large country with more than one CA - that it takes so long, and they would like to cut corners. I am working on some IGTF stuff which should speed up the process without the corner cutting but it's a bit experimental. Other people from the afore-not-mentioned country have had related ideas and this will be tied in.

Latvia have applied for membership (I am also a reviewer here); they were previously covered by the Estonian run BalticGrid CA (which incidentally I also reviewed back in '05), but for various reasons now want one for themselves. Lithuania is still in BalticGrid with no plans otherwise.

Among the more politically interesting, we find the area known as FYROM or Macedonia, depending on who you ask, who want to join with a CA under the name of Macedonia which made the Greek jump. Iran is now also interested in joining and have started setting up a CA, unfortunately they find it hard to travel and even videoconferencing with them can be embargoed. I am not reviewing those two though.

Oh, and a tearful goodbye and cheerio to the old CERN CA, headed by Ian Neilson. The CA community expressed its gratitude to the CA which was one of the earliest ones. Since CAs must archive everything for at least three years, Ian is now wondering how to archive about 1TB's worth of email which is mostly spam...
Incidentally, CERN and INFN who both have expired CAs noticed a large number of attempted CRL downloads, which indicates that someone's systems haven't been updated. On CERN's list, at #8, was a UK site which shall remain nameless. It was an NGS site, though.

Belgium is also under new management, so to speak, which looks very promising. Till now they were very quiet and it's better that CAs make (the right kind of) noises.

Meanwhile, folk in Armenia are interested in spreading PKI to other countries in the region, the "Silk Highway". This will be based on OpenCA but is so far only a proposal. More on this if it gets funded.

That's all for now. I think next post will be internal - UK e-Science CA notes.
Oh, and about the rollover problems, I filed a bug report against CERN but I'm not confident it ended up in the right hands. Not just our headache, I counted four other CAs who are currently rolling over, with another nine starting rollover later this year. It is a bug, Grid CAs only guarantee the subject DN. More later (or on dteam).