[gin-auth] Heads-up for RFC proxies and VOMS ACs

Mike 'Mike' Jones mike.jones at manchester.ac.uk
Thu Jun 8 12:11:37 CDT 2006 

I think it's more a problem of implementation.  The RFC suggests that 
proxy certificates serial numbers should be unique among all those issued 
by the proxy issuer and then goes onto qualify that by saying that they 
may use a random approach.  Yes! I guess this means that it is not a 
"MUST" but the qualification seems to suggest a high probability of 
uniqueness is needed this is why (I think) MUST became SHOULD in the RFC. 
Besides, GT3 and GT4 both produce "new and rfc" proxies with different 
serial numbers from the issuer--so it's in the/some implementations 
already.

Having said that, it's not the serial number that is really at fault here 
it's the Issuer DN of the Holder of the Attribute.  What is really 
happening is this:

The DN in the Holder Sequence is that of the certificate one level further 
down the chain than it should be.  This leads to the interpretation of the 
AC as belonging the the next certificate in the chain before it checks 
that the serial numbers match up.  As the legacy proxy uses the same 
serial number as its issuer there exists a certificate in the Proxy 
certificate chain that the AC can be identified as belonging to. 
Everyone's nearly happy; voms then goes backwards and places the 
Attributes as belonging to the EEC not the proxy.


Mike



On Thu, 8 Jun 2006, Von Welch wrote:

>
> I'm perhaps wandering into weeds here, but I'm not sure what "RFC proxies 
> requiring different serial numbers" means. RFC 3820 suggests an algorithm for 
> generating serial numbers, but it's not a requirement. Is something actually 
> requiring specific serial numbers?
>
> Von
>
> On Jun 8, 2006, at 8:41 AM, vincenzo.ciaschini at cnaf.infn.it wrote:
>
>> One correction: this is already present in the gLite 1.5 VOMS server
>> (corresponding to 1.6.10 VOMS version, and therefore also on those that 
>> have
>> been tested up to now by the gin group.
>> 
>> Bye,
>>  Vincenzo
>> Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
>> 
>>> 
>>> Just to let you know that due to a bug in gLite 1.5 and earlier:
>>> VOMS attribute certificates as issued by the current instance of the 
>>> gin.ggf.org VOMS cannot work inside an RFC proxy certificate due to the 
>>> Holder section of the attribute certificate being set to the wrong DN and 
>>> RFC proxies requiring different serial numbers.
>>> 
>>> This I believe is fixed in the gLite 3.0 VOMS server (vomsd needing to be 
>>> run with the --newformat option). gLite 3.0 VOMS aware services recognise 
>>> both the 'old' (broken) and 'new' formats.
>>> 
>>> This does not affect systems that currently construct a grid-mapfile for 
>>> the purposes of authorisation.
>>> 
>>> Mike
>>> 
>>> -- 
>>> http://www.sve.man.ac.uk/General/Staff/jonesM/
>>> 
>>> 
>> 
>> 
>> 
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>

-- 
http://www.sve.man.ac.uk/General/Staff/jonesM/

More information about the gin-auth mailing list