The main focus of today's VDT office hours was to discuss Alain Roy's proposal for adding enhanced capabilities for VDT installations to receive new CA certificates updates. Currently, installations download new package tarballs from the VDT cachce using Pacman. In order to update the certificates directory, users must execute a pacman command. The VDT team has discovered that many site operators do not update in a timely manner or avoid updating all together, due to fears of Pacman damaging the VDT installation.
Therefore, Alain proposes that the VDT install a mechanism that will periodically check whether new CA certificates are available from a known location, and downloads the corresponding updates. After this proposal was distributed and during the call, some members of the VDT community with better security backgrounds had some objections.
From this, a lengthy discussion with Alan Sill, Alain Roy, and others ensued about current research being conducted in secure certificate distribution. The VDT team may be ready to collaborate with the IGTF on distributing CA certificates; it was also proposed that the VDT team should start looking into working with TAKAR. The VDT currently provides CA certificates that overlap both the ITGF and FermiLab. The team would like to move an expansion of methods for obtaining additional grid credentials. For example, the VDT has made allowances for supporting TeraGrid certificates.
The VDT may also look into deploying GTS for the Open Science Grid. The current functionality of the GTS is that it is able to pull down CA certificates and corresponding CRLs. Alain believes that an inital test deployment is possible, but that they would need to discuss scalability issues later.
As the discussion continued, it was agreed that there are two fundamental technical questions that still need to addressed:
Futhermore, there are other questions about the entire process that were raised during the office hours discussion: