OSG Area Coordinators Meeting
| Wednesday, 2:00 PM Central Time
| Phone (866) 740-1260
|| Meeting ID 8405618, followed by #
Brian, Rob Q., Gabriele, Von Welch, Ruth
Jemise will update Indico
Follow-up Action Items
OSG PKI Project Briefing for OSG Area Coordinatoris - Von Welch (15 minutes)
Von presents the DigiCert project, now better referred to as OSG PKI Project. He reviewed the info at the links above.
How will OSG users be affected?
Heavier than usual load to RA: no automatic re-issuing of credentials for the first time.
GG: how will OSG software be affected?
Software affected are the scripts written to request certificates directly to the CA, typically done by administrators. We change one REST API with a different one. Jeremy Fisher at IU will write a guide about this.
BB: These scripts have been written because of lack of functionalities with the CA to request certificates in bulk.
VW: Supporting of the scripts should be the responsibility of who supports the CA front end service. This is only a proposal for now.
BB: Admins would probably be willing to beta test the service.
VW: testing will go in phases from more to less experts. Will get in touch for suggestions on names.
BB: WN certificates: today sites request 1 for all the WN. This is the easiest for internal-only certificates (gLExec, condor authn, Zabbix, etc.). Are these going to be handled differently?
VW: We plan to support the same level of usage as DOEGrids for OSG. With DigiCerts we'll have a contract to support a certain number. We'll need to check for run-away requests (e.g. requests for 10,000 WN)
RP: I would like to understand how we can move away from the need of WN certs.
GG: what is the costing model?
VW: single contract to cover up to N certificate (somewhat more than today). Then incremental costs that we'd like to avoid.
BB: do certs need to point to DNS names?
VW: yes: is it a problem?
BB: maybe for internal nodes.
RQ: we look forward to streamline some internal processes with OIM
BB: what is the time for average site transition? For rpms it was 6 months
VW: unclear now, but it's going to be more of a gradual transition than with rpm.
VW: we don't have a contract with DigiCert yet, but they can issue some limited number of certs for testing.
Stakeholder Request Management - Gabriele Garzogio
Discussion on idle OSG stakeholder requests
Request of CVMFS
Trash/Blueprint meeting at the end of Apr will touch on this.
BB: we are looking into pairing CVMFS with parrots to deploy clients on
the flight wherever the CVMFS/Fuse client is NOT enabled.
- 07 Mar 2012