[condor-users] Some questions concerning security in Condor

[Mark Calleja <mcal00@xxxxxxxxxxxxx>]

Hi Chaps,

In order to win over our computing services guys and get them to 
consider putting Condor on campus-wide facilities, I'd be grateful if 
anyone can answer some of the questions that have been raised, and 
detailed below. I'd like say that by fielding these questions we are in 
no way implying any sort of slur on any aspects of Condor, but I have 
been warned that some people/organizations can feel slighted at having 
the security of their products questioned. We mean no such offence.

1) Does Condor support TCP_wrappers?

2) Has anyone done a security assesment/audit of Condor? If so, can we 
see the results?

3) Section 3.7.4.1, "GSI Authentication" in the Condor v6.6 manual 
implies that the distinguished name of certificates for the Condor 
daemons should be of the form:

   /C=?/O=?/O=?/OU=?/CN=<daemon_name@domain>

which is not of the same form as the distinguised name of certificates 
issued by the UK e-Science CA.  So, is it the case that the distinguised 
name of certificates for the Condor daemons has to be of the form given 
above, or is this just an example? For comparison, the UK e-Science CA 
issues user certificates with distinguished names of the form:

   /C=UK/O=eScience/OU=?/L=?/CN=<name of user>

host/server certificates with distinguished names of the form:

   /C=UK/O=eScience/OU=?/L=?/CN=<hostname>/Email=<some_name@domain>

and service certificates with distinguished names of the form:

   
/C=UK/O=eScience/OU=?/L=?/CN=<service>/<hostname>/Email=<some_name@domain>

Thanks for any help,

Mark

--
Department of Earth Sciences, University of Cambridge
Downing Street, Cambridge CB2 3EQ, UK
Tel. (+44/0) 1223 333408, Fax  (+44/0) 1223 333450
http://www.esc.cam.ac.uk/~mcal00


Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>