[gin-auth] Heads-up for RFC proxies and VOMS ACs
Von Welch
vwelch at ncsa.uiuc.edu
Thu Jun 8 08:59:48 CDT 2006
I'm perhaps wandering into weeds here, but I'm not sure what "RFC
proxies requiring different serial numbers" means. RFC 3820 suggests
an algorithm for generating serial numbers, but it's not a
requirement. Is something actually requiring specific serial numbers?
Von
On Jun 8, 2006, at 8:41 AM, vincenzo.ciaschini at cnaf.infn.it wrote:
> One correction: this is already present in the gLite 1.5 VOMS server
> (corresponding to 1.6.10 VOMS version, and therefore also on those
> that have
> been tested up to now by the gin group.
>
> Bye,
> Vincenzo
> Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
>
>>
>> Just to let you know that due to a bug in gLite 1.5 and earlier:
>> VOMS attribute certificates as issued by the current instance of
>> the gin.ggf.org VOMS cannot work inside an RFC proxy certificate
>> due to the Holder section of the attribute certificate being set
>> to the wrong DN and RFC proxies requiring different serial numbers.
>>
>> This I believe is fixed in the gLite 3.0 VOMS server (vomsd
>> needing to be run with the --newformat option). gLite 3.0 VOMS
>> aware services recognise both the 'old' (broken) and 'new' formats.
>>
>> This does not affect systems that currently construct a grid-
>> mapfile for the purposes of authorisation.
>>
>> Mike
>>
>> --
>> http://www.sve.man.ac.uk/General/Staff/jonesM/
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
More information about the gin-auth
mailing list