[caops-wg] [igtf-general] Re: Grid Certificate Profile version 0.20
Mike 'Mike' Jones
mike.jones at manchester.ac.uk
Thu Mar 15 07:05:44 CST 2007
Darcy,
Yes, there was a discussion about this at OGF19. It seems that it's only
the hostname to certificate authentication cross check that uses this
process, I was just worried that the same routines might be used in the
grid-mapping of user certificates but this seems not to be the case.
On the subject of wild cards, a number of browsers support the use of the
asterisks as wild cards in the CN field of a DNS style CN. e.g.
*.google.com; does this document need a comment to this effect?
Thanks,
Mike
On Thu, 15 Mar 2007, David Groep wrote:
> Hi all,
>
> Darcy Quesnel wrote:
>> Has anyone replied to you about this?
>>
>> My experience is that the globus patched version of openssl will interpret
>> the "robert kilroy-" part as a wildcard and only treat silk as significant.
>> I'm trying to remember if the space makes a difference - I don't think it
>> does.
>
> No, this implicit wildcard matching is only used when comparing
> host names, and is not in the code matching usernames in the gridmapfile
> (I just lloked at that piece of the code and there is nothing special
> in the gss_assist_gridmap call regarding dashes).
> So, the mapping will be unique and Mr. Kilroy-silk will be safe :-)
>
> Cheers,
> DavidG.
>
>
>>
>>
>> Darcy
>>
>>
>> Mike 'Mike' Jones wrote:
>>
>>> One question that I've just been asked is: "Does the hyphen in a in a CN
>>> (ss 3.2.3) affect user certificates in Globus installations?"
>>>
>>> e.g.
>>> If I have "...CN=robert kilroy-silk" in my grid-mapfile and
>>> a I process an GSI connection with "CN=robert kilroy", will they get Mr
>>> kilroy-silk's account mapping?
>>>
>>> Mike
>>>
>>> --
>>> caops-wg mailing list
>>> caops-wg at ogf.org
>>> http://www.ogf.org/mailman/listinfo/caops-wg
>
>
>
More information about the caops-wg
mailing list