120 likes | 129 Views
The PMA provides trust anchors for CAs, offering simple, common mechanisms such as tar-based installs or RPM/yum/apt. The distribution structure ensures easy installation and updates.
E N D
http://www.eugridpma.org/ Distribution Repository StructureDavid Groep, 2005.03.15
Distribution of trust anchors • The PMA distributes a set of trust anchors for the community of all accredited CAs • Although published via a secure web site, RPs are invited to cross-check the trust anchors against TACAR &c. • When using common auth profiles, RPs are likely to install all accredited authorities from all PMAs • Need simple, common mechanisms • Support both simple tar-based installs and RPM/yum/apt (and debian?)
Distribution items • RPMs • one per CA • including meta-data like CRL URL • “policy” meta-RPMS for accredited authorities • tar balls • per CA • a combined tarball with configure/install script
Current layout (one profile only) /distribution/current -> 0.27 /distribution/0.27/... .../accredited/RPMS/ca_NAME1-0.27-1.noarch .../accredited/RPMS/ca_NAME2-0.27-1.noarch .../accredited/tgz/ca_NAME.tar.gz .../accredited/ /cabundle-eugridpma-accredited.tar.gz .../ca_policy_eugridpma-0.27-1.noarch.rpm /distribution/0.27/headers/...
Proposed structure (multiple profiles) /distribution/current -> eugridpma/1.0 /distribution/eugridpma/1.0/accredited/RPMS/... .../accredited/RPMS/ca_NAME-1.0-1.noarch.rpm .../accredited/RPMS/ca_policy_eugridpma-classic-1.0-1.noarch.rpm .../accredited/RPMS/ca_policy_eugridpma-acs-1.0-1.noarch.rpm .../accredited/tgz/ca_NAME.tar.gz .../accredited/tgz/cabundle-eugridpma-accredited.tar.gz* /distribution/eugridpma/1.0/headers/... /distribution/mirror/current/apgridpma/... .../apgridpma/current/accredited/ca_policy_apgridpma-classic-0.3-.. /distribution/mirror/current/tagpma/... .../tagpma/current/accredited/ca_policy_tagpma-sips-1.2-1.noarch... /distribution/mirror/current/eugridpma/current/... /distribution/mirror/current/igf/... .../igf/current/accredited/RPMS/ca_policy_igf-classic-1.0-1.noarch requires: ca_policy_eugridpma-classic requires: ca_policy_apgridpma-classic /distribution/mirror/current/headers/... *) ./configure --prefix=/etc/security/grid --with-profile=acs make install
Using the RPM repository • Having all PMA current repositories mirrored under one root allows YUM/APT updates from a single source • If the “current” is mirrored and old files removed, manual installation is also unambiguous • Mirroring ensures getting always the latest from every PMA • Install all “classic” CAs with a singleyum –y install ca_policy_igf-classic • Have an “overall” policy file that includes all profiles:yum –y install ca_policy_igf
RPM dependencies ca_policy_pma-classic-2.3 requires ca_authname = 2.3 ca_policy_pma-3.4 requires ca_policy_pma-classic = 3.4 ca_policy_pma-sips = 3.4 ca_policy_pma-acs = 3.4 ca_policy_igf-classic-1.0 requires ca_policy_eugridpma-classic [no version!] ca_policy_apgridpma-classic [no version!] ca_policy_tagpma-classic [no version!] ca_policy_igf-1.0 requires ca_policy_igf-classic = 1.0 ca_policy_igf-sips = 1.0 ca_policy_igf-acs = 1.0
CA package contents • Required content • trust anchor: c_hash.0 • CRL location: c_hash.crl_url • Namespace definition: c_hash.signing_policy • Optional content • CERT location c_hash.ca_url • CA web page c_hash.url • Package dependencies (RPM only) • for a hierarchical PKI the RPM name of the parent CA • Proposed content • metadata c_hash.docwith: alias, full name, AuthProfile, email addresses, PDS, CP/CPS link, all as “attribute=value” pairs
Tar/Configure based installation • RP will download three tarballs • Runs ./configure three times • but same format for all: • –prefix=path [default: /etc/grid-security/certificates] • –with-profile=authprofilename [default: all profiles]
Naming conventions • Each Authority will have an alias of 4-16 chars • Each PMA will have a shortname “eugridpma”, “apgridpma”, “tagpma” • Each profile will have a shortname for use in RPM specialisation and for the –with-profile= configure option • “classic”: traditional, secured PKI CAs • “sips”: Site Integrated Proxy Servers, kCAs • “acs”: secured Active Certs Stores, NERSC-style • “experimental”: testing and experimental authorities of any kind that need distribution • “test”: internal testing only
Mirroring requirements • Each PMA will mirror all others & the IGF • web site / directory naminghttp://www.pmaname.org/distribution/mirror/ • Mirror frequency: once daily • also mirror yourself for consistencyso “/distribution/mirror” will be same everywhere