Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Cowles, Robert D.
rdc at slac.stanford.edu
Sat Oct 15 21:12:59 CDT 2005
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
> Sent: Friday, October 14, 2005 9:50 AM
...
>
> Cowles, Robert D. wrote:
> >
> > The gridmapfile gives no clue as to CA or to VO.
>
> Also to the time of day, or user location, or request parameters, or
> hundreds of other things that might place conditions on what
> the user is
> allowed to do. So gridmap files were a nice first shortcut to get
> something working fast (a bit like the GridShib mapping file
> today)but
> they cannot realistically be expected to provide a long term solution
>
> regards
>
> David
No .. but they seem very "sticky" and difficult to get rid of. I am
also aware of sites adding CA's to the trusted list without understanding
the implications of having a "trusted CA" that had no signing policy
constraints .... I could be wrong -- if a CA doesn't appear in the
signing policy file, is it unconstrained or competely constrained?
(if couse, if the latter, the site is likely to add an unconstrained
entry to get things working rather than try to figure out the proper
constraints.)
BC
More information about the caops-wg
mailing list