Re: [Condor-devel] Has Condor considered NSS?

[Matthew Farrellee <matt@xxxxxxxxxxx>]

Ah, great. I thought it wasn't a parameter, but the default.


matt

Jaime Frey wrote:
> In delegation, the receiving party creates a new public/private key pair 
> and sends the public key over the connection to be signed (actually, I 
> believe it's a certificate request). The sending party signs the 
> certificate with the private key of the source credential and returns 
> the signed certificate. No private keys ever go over the network.
>
> Condor uses delegation to transfer X509 credentials over a network 
> connection. There's a config parameter to tell it to simply copy the 
> credentials instead.
>
>  -- Jaime
>
> On Aug 22, 2007, at 10:55 AM, Matthew Farrellee wrote:
>
> > Will you explain the difference to me? I thought delegation means that a
> > restricted certificate is created for the user (restricted in its
> > expiration time), but that delegated certificate still has private bits.
> > The delegated certificate (proxy cert?) is actually transferred via the
> > X509_USER_PROXY attribute in job ads.
> >
> >
> > matt
> >
> > Alain Roy wrote:
> > > No, it's delegated, not transferred.
> > >
> > > -alain
> > >
> > > At 09:57 AM 8/22/2007 -0500, Matthew Farrellee wrote:
> > > > Unless I'm mistaken in situations like Condor-C/Condor-G a user's
> > > > certificate, or proxy certificate, will actually be transferred (it
> > > > contains private bits) between machines. I honestly hope I'm mistaken.
> > > >
> > > >
> > > > matt
> > > >
> > > > Ian Alderman wrote:
> > > > > I'm not sure what you mean by passing certificates around: do you mean
> > > > > passing keys around?  I don't think Condor does that any more.
> > > > >
> > > > > I think Condor only uses certificates if the SSL or GSI authentication
> > > > > methods are employed.
> > > > >
> > > > > -Ian
> > > > >
> > > > > On Wed, Aug 22, 2007 at 08:22:26AM -0500, Matthew Farrellee wrote:
> > > > > >
> > > > https://www.redhat.com/archives/fedora-devel-list/2007-August/msg01594.html 
> > > >
> > > >
> > > > > > I can think of a few reasons why Condor might not be able to get FIPS
> > > > > > 140-2 certification, such as passing certificates around between
> > > > > > machines. Can anyone think of others or clarify how extensively
> > > > > > certificates are needed directly by Condor?
>
> +--------------------------------+-----------------------------------+
> |           Jaime Frey           | I used to be a heavy gambler.     |
> |       jfrey@xxxxxxxxxxx        | But now I just make mental bets.  |
> | http://www.cs.wisc.edu/~jfrey/ | That's how I lost my mind.        |
> +--------------------------------+-----------------------------------+