#
# for every CA, a symbolic abbrev should be defined, and in the CWD
# there should be a self-signed CERT named "cacert-${caname}.pem"
# if the CRL URL is correct, it will be retreived automatically,
# otherwise, put the file by hand in this directory as "cacrl-${caname}.pem".
# the hash is compuled automatically and symlinks to cert and crl made
# accordingly. The "hash.0" and "hash.r0" MUST be symlinks.
# 
# The "auth" entry in the hash is compulsory: it should be a list
# of DN prefixes signed by that CA, inclusing any wildcards.
#
# The "cert" entry is NOT used: it would be catastrophic to retreive 
# a CA cert insecurely and at random. Use of the "cert" field is 
# to be forbidden for automatic updates!
#
# if the "dis" entry is defined, the CA will not be added to the
# ca-signing-policy.conf file. The textual value of the "dis" entry
# will be echoed to the screen.
#
# The list of CA's, in perl syntax as a hash of hashes:
#
%calist = (
	"cern" => { 
	  cert	=> 'http://globus.home.cern.ch/globus/ca/c35c1972.0',
	  crl	=> 'http://globus.home.cern.ch/globus/ca/cern.crl.pem',
	  auth	=> ["/C=ch/O=CERN/*","/C=CH/O=CERN/*",
			"/O=Grid/O=CERN/*","/O=CERN/O=Grid/"]
	  },
	"nikhef-ms" => {
	  cert	=> 'http://certificate.nikhef.nl/medium/cacert.pem',
	  crl	=> 'http://certificate.nikhef.nl/medium/cacrl.pem',
	  auth	=> ["/O=dutchgrid/O=users/*","/O=dutchgrid/O=hosts/*"]
	  },
	"nikhef-test-low" => {
	  cert	=> 'http://certificate.nikhef.nl/test-low/cacert.pem',
	  crl	=> 'http://certificate.nikhef.nl/test-low/cacrl.pem',
	  auth	=> ["/C=nl/O=nikhef/*","/C=nl/O=UvA/OU=wins/*",
			"/C=nl/O=amolf/*","/O=dutchgrid/*"]
	  },
	"ukhep" => {
	  cert	=> 'http://www.hep.grid.ac.uk/ca/software/0ed6468a.0',
	  #crl	=> 'http://www.hep.grid.ac.uk/ca/ca-crl.pem',
	  auth	=> ["/O=Grid/O=UKHEP/*"]
	  },
	"lip" => {
	  cert	=> 'http://www.lip.pt/ca/41380387.0',
	  crl	=> 'http://www.lip.pt/ca/lip-crl.pem',
	  auth	=> ["/C=PT/O=LIP/*"]
	  },
	"infn-2" => {
	  crl	=> 'http://security.fi.infn.it/CA/crl.crl',
	  crl_filter	=> "| $openssl crl -inform der -text",
	  auth	=> ["/C=IT/O=INFN/*"]
	},
	"nordugrid" => {
	  cert	=> 'http://www.nbi.dk/HEP/CA/1f0e8352.0',
	  crl	=> 'http://www.nbi.dk/HEP/CA/1f0e8352.r0',
	  auth	=> ["/O=Grid/O=NorduGrid/*"]
	},
	#"cnrs-test" => {
	#  dis	=> "superseeded by Datagrid-fr",
	#  cert  => "http://www.services.cnrs.fr/ca/cacnrs.pem",
	#  crl	=> "http://www.services.cnrs.fr/ca/NS/chargcrl_pem.cgi",
	#  auth	=> ["/*/OU=UREC/O=CNRS/C=FR","/*/OU=LPC/O=CNRS/C=FR",
	#		"/*/OU=DAPNIA/O=CEA/C=FR"]
	#},
	"cnrs-top" => {
	  cert	=> 'http://igc.services.cnrs.fr/cgi-bin/viewca?cmd=save&CA=Datagrid-fr&ca=CNRS',
	  crl	=> 'http://igc.services.cnrs.fr/cgi-bin/viewcrl?cmd=save&CA=Datagrid-fr&ca=CNRS',
	  auth  => ["/C=FR/O=CNRS/CN=CNRS-Projets"]
	},
	"cnrs-projets" => {
	  cert	=> 'http://igc.services.cnrs.fr/cgi-bin/viewca?cmd=save&CA=Datagrid-fr&ca=CNRS-Projets',
	  crl	=> 'http://igc.services.cnrs.fr/cgi-bin/viewcrl?cmd=save&CA=Datagrid-fr&ca=CNRS-Projets',
	  auth  => ["/C=FR/O=CNRS/CN=Datagrid-fr"]
	},
	"cnrs-datagrid-fr" => {
	  cert	=> 'http://igc.services.cnrs.fr/cgi-bin/viewca?cmd=save&CA=Datagrid-fr&ca=Datagrid-fr',
	  crl	=> 'http://igc.services.cnrs.fr/cgi-bin/viewcrl?cmd=save&CA=Datagrid-fr&ca=Datagrid-fr',
	  # Notice: namespace incomplete
	  auth	=> ["/C=FR/O=CNRS/*","/C=FR/O=CEA/*"]
	},
	"globus" => {
	  dis	=> "distrusted due to local NIKHEF policy",
	  auth	=> ["/C=us/O=Globus/*","/C=US/O=Globus/*","/O=Grid/O=Globus/*"]
	},
	"russgrid" => {
	  cert	=> 'http://lhc.sinp.msu.ru/CA/d64ccb53.0',
	  crl	=> 'http://lhc.sinp.msu.ru/CA/d64ccb53.r0',
	  auth	=> ["/C=RU/O=DataGrid/*"]
	}#,
	# temporary for testing spanish CA
	#"esgrid" => {
	#  cert	=> 'http://www.ifca.unican.es/datagrid/ca/90e2484f.0',
	#  auth	=> ["/C=ES/O=DATAGRID-ES/*"],
	#  dis	=> 'disappeared'
	#}
);