-----Original Message-----

From: Charles Bacon]

Sent: Monday, April 24, 2006 3:05 PM

To: Cindy Zheng

Subject: Re: DN imcompatibility issue

 

 

On Apr 24, 2006, at 4:30 PM, Cindy Zheng wrote:

 

> Dear Bill,

>

> During our chat at PRAGMA10, I mensioned about DN imcompatibility

> issue we encountered in our Grid interoperation effort. Here is a

> detailed description http://goc.pragma-grid.net/gin/Cert-probs-GIN.pdf

> Would appreciate any comments and suggestions.

> I'm cc'ing to Lisa and Charles for comments as well.

 

This came up when we upgraded our version of OpenSSL back in mid-2004 

in the 3.2 release of the Globus Toolkit.  Here's the bug that was 

opened about the issue: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=575.

The reporter, Keith Thompsen, also sent an email at the same time:

http://www-unix.globus.org/mail_archive/security/2004/10/msg00000.html

 

The issue arises when an OID (like 0.9.2342.19200300.100.1.1) doesn't 

have a canonical mapping to a human-readable string like "UID".  The 

RFC quoted in the paper mentions that UID is preferred to USERID, but 

that doesn't address the other problematic RDNs like serialNumber and 

emailAddress.

 

There are two approaches the community at large has taken.  One is to 

standardize on a particular version of the openssl libraries - for 

instance, we have used 0.97c for a while.  This is mentioned in the 

conclusion when the author mentions upgrading the ASN.1 encoding used 

by the VOMS Admin.  The other approach is to allow flexibility in the 

interpretation of the RDN, which is referred to in the paper as "The 

hack".  Adding both USERID and UID versions of the DN to the grid-

mapfile (or equivalent) and CA signing policy files allow the OID 

blob to be rendered to text either way.  I believe this is the 

approach taken by TeraGrid and the gx-map tool.  Here's an example 

pair of entries in their grid-mapfile:

"/C=US/O+UTAustin/OU=TACC/CN= Chris Gilpin/UID=tg456958" cgilpin

"/C=US/O+UTAustin/OU=TACC/CN= Chris Gilpin/USERID=tg456958" cgilpin

 

And in the signing policy for that CA:

# TACC CA signing Policy

 

access_id_CA      X509         '/C=US/O=UTAustin/OU=TACC/CN=TACC 

Certification

Authority/USERID=caman'

pos_rights        globus        CA:sign

cond_subjects     globus       '"/C=US/O=UTAustin/OU=TACC/*"'

 

access_id_CA      X509         '/C=US/O=UTAustin/OU=TACC/CN=TACC 

Certification

Authority/UID=caman'

pos_rights        globus        CA:sign

cond_subjects     globus       '"/C=US/O=UTAustin/OU=TACC/*"'

 

 

I hope this helps,

 

Charles