[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ
Aleksandr Konstantinov
aleksandr.konstantinov at fys.uio.no
Fri Mar 27 09:08:17 CDT 2009
On Friday 27 March 2009 15:53, you wrote:
> Hi,
>
> > (B)
> >
> > I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS
> > connection (which included C) – each hop creates new proxy-pair
>
> >TLS connection by itself can't create >*new* proxy. One needs some
> >additional way to do that.
>
>
> Of course, so you do:
>
> (1) Create a new proxy using OpenSSL
> (2) using this proxy to create the TLS connection
>
> Is that wrong?
That depends if TLS connection in next hop is going to be established using identity impersonation.
If yes, then step (1) can't be performed because previous step did not provide delegated credentials.
(Or did it? Delegation is very tightly coupled here.)
If no, then credentials of service (or whatever is available) are used and step (1) is not necessary.
A.K.
More information about the Pgi-wg
mailing list