[Pgi-wg] OGF PGI - Security Model - NEW versions of GSI accept RFC-3820-compliant X509 proxies
Vincenzo Ciaschini
vincenzo.ciaschini at cnaf.infn.it
Wed Apr 8 05:07:19 CDT 2009
Hi Etienne,
Etienne URBAH wrote:
> Still to be verified is that VOMS servers only accept GSI-style X509
> proxies http://forge.gridforum.org/sf/go/doc15591?nav=1
VOMS accepts and generates both type of proxies. However, there is a
caveat, which explains the failures you get:
Pre VOMS 2.0:
Server-side, VOMS uses GSI for validation. This means that if you run
voms against gt2, contacting it with a gt4 proxy will fail.
There is a final argument in the vomses file which specifies which
version of GT the service uses, and adapts the proxies used to contact
it accordingly. Many VOs distribute an incorrect vomses file.
The final proxy obtained as output by voms-proxy-init will always be
what you requested, in this case a rfc proxy.
VOMS 2.0 onwards:
Globus dependencies on the server will be dropped too (They are
corrently removed from both the clients and the APIs). This will mean
that any kind of proxy, or even a bare certificate, will become
acceptable for contacting the service. The whole vomses config business
above will no longer be relevant.
VOMS 2.0 is due to be out during autumn this year.
Ciao,
Vincenzo
More information about the Pgi-wg
mailing list