[gin-auth] Heads-up for RFC proxies and VOMS ACs

vincenzo.ciaschini at cnaf.infn.it vincenzo.ciaschini at cnaf.infn.it
Thu Jun 8 12:49:26 CDT 2006 

Hi Von,

Quoting Von Welch <vwelch at ncsa.uiuc.edu>:

>
> I'm perhaps wandering into weeds here, but I'm not sure what "RFC  
> proxies requiring different serial numbers" means. RFC 3820 suggests  
> an algorithm for generating serial numbers, but it's not a  
> requirement. Is something actually requiring specific serial numbers?
Mike here is referring to the serial number present in the baseCertificateID
subfield of the Holder field of the AC, not to the AC's serial number, 
and yes,
section 4.2.2 of RFC 3281 is very specific about what should go in there.

Bye,
   Vincenzo

>
> Von
>
> On Jun 8, 2006, at 8:41 AM, vincenzo.ciaschini at cnaf.infn.it wrote:
>
>> One correction: this is already present in the gLite 1.5 VOMS server
>> (corresponding to 1.6.10 VOMS version, and therefore also on those  
>> that have
>> been tested up to now by the gin group.
>>
>> Bye,
>>   Vincenzo
>> Quoting Mike 'Mike' Jones <mike.jones at manchester.ac.uk>:
>>
>>>
>>> Just to let you know that due to a bug in gLite 1.5 and earlier:
>>> VOMS attribute certificates as issued by the current instance of  
>>> the gin.ggf.org VOMS cannot work inside an RFC proxy certificate  
>>> due to the Holder section of the attribute certificate being set  
>>> to the wrong DN and RFC proxies requiring different serial numbers.
>>>
>>> This I believe is fixed in the gLite 3.0 VOMS server (vomsd  
>>> needing to be run with the --newformat option). gLite 3.0 VOMS  
>>> aware services recognise both the 'old' (broken) and 'new' formats.
>>>
>>> This does not affect systems that currently construct a grid- 
>>> mapfile for the purposes of authorisation.
>>>
>>> Mike
>>>
>>> -- 
>>> http://www.sve.man.ac.uk/General/Staff/jonesM/
>>>
>>>
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the gin-auth mailing list