Mario David wrote:
> Hi
> I have the following question
> I have in my proxy machine the following /etc/myproxy.conf
> ....
> accepted_credentials "/C=FR/O=CNRS/CN=CNRS-Projets"
> accepted_credentials "/*"
> ....
> this entry "/*" comes from
> 6b4ddd18.signing_policy file
>
> cat 6b4ddd18.signing_policy
> # EACL French CA, DataGrid level: Datagrid-fr
> access_id_CA X509 '/C=FR/O=CNRS/CN=Datagrid-fr'
> pos_rights globus CA:sign
> cond_subjects globus '"/*"'
>
> So, this entries allows each and everyone to put crendentials in the proxy
Anyone who can present a valid proxy of a CA configured on the server.
> server (I think I have no problem with that, but I am not a security expert).
> the question is why on earth give the script
> /etc/init.d/myproxy-generate-config.pl the trouble of going through
> all the *.signing_policy to take out the subjects which are allowed to put
> credentials in the proxy server.
Indeed, we should remove those unnecessary and confusing lines.
Open a bug...
|