[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ
weizhong qiang
weizhongqiang at gmail.com
Fri Mar 27 07:45:43 CDT 2009
2009/3/27 Morris Riedel <m.riedel at fz-juelich.de>
> Hi,
>
> >- Of course. "Full certificate" is just an extreme case of proxy
> certificate - like table without legs.
>
> Unfortunately, we heard earlier that this is not generally the case since
> GSI proxy-based TLS changes also the wire or handshaking process while I
> agree with end-entity TLS is a subset (as chain length 0 proxy) of normal
> TLS.
>
> However, in practical works I have done in scenarios - I learned we have to
> support both. So I see that we have to support both?!
There are at least two "both" from my understanding here:
1, in terms of certificate itself, both full X.509 and proxy certificate;
and support means the verification of certificate, and only normal TLS wire
protocol is used.
Which you agree from your sentence, I think.
2, in terms of wire protocol, both TLS and GSI, which practically are
incompatible.
I guess your question is about this one.
I propose we can have two profiles about this, while mentioning GSI (wire
protocol) profile is only for legacy reason, but is not recommended.
Weizhong Qiang
>
>
> Take care,
> Morris
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/645d118e/attachment.html
More information about the Pgi-wg
mailing list