https://savannah.cern.ch/bugs/index.php?func=detailitem&item_id=6531
is relevant here I think. It's on the todo list.
| Ian Neilson
| Grid Deployment Group, CERN
| Tel: +41 (0)22 76 74929
> -----Original Message-----
> From: LHC Computer Grid - Rollout [mailto:LCG-
> [log in to unmask]] On Behalf Of Sophie Nicoud
> Sent: 07 September 2005 16:58
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] proxy configuration question (security?)
>
> Hi David,
>
> [log in to unmask] wrote:
>
> >Hi Sophie
> >my question is, in the myproxy.conf what is the difference between
> >having only
> >accepted_credentials "/*"
> >
> >
> I don't know myproxy configuration.
> Here, you have, for me, a strange list. This list of credential
contents
> subjects of certificate of CA and sub-CAs and subjects of certificates
> issued by CA (or sub-CA).
> What I know is why we have "/* " in the signing-policy.conf of the
CNRS
> Datagrid-fr CA:
> because it's a "old" CA issuing certificates with subject with no root
> subject.
>
> >and having all of this
> >accepted_credentials "/C=TW/*"
> >
> >
> ^-- I hope, you're accepting all subjects starting with "/C=TW/*"
issued
> by the Taiwan CA !! not certificates issued by other CAs with this
same
> subject..
>
> >accepted_credentials "/C=CN/O=IHEP/OU=CC/*"
> >accepted_credentials "/C=AM/O=ArmeSFo/*"
> >accepted_credentials "/C=BE/O=BELNET/OU=BEGrid/CN=BEGrid
> >[log in to unmask]"
> >accepted_credentials "/C=BE/O=BEGRID/*"
> >accepted_credentials "/C=BE/O=BELNET/OU=BEGrid/CN=BEGrid
> >[log in to unmask]"
> >
> >
> ^----- This is the subject of the Belgian CA
>
> >accepted_credentials "/C=BE/O=BEGRID/*"
> >
> >
> ^----- This is the start of subject certificates issued by Belgian CA
>
> >accepted_credentials "/C=CH/O=CERN/OU=GRID/*"
> >accepted_credentials "/C=FR/O=CNRS/CN=CNRS-Projets"
> >
> >
> ^---- this is the subject of our CNRS sub-CA. Only CNRS-Projets sub-CA
> has this subject
>
> >accepted_credentials "/C=FR/O=CNRS/CN=CNRS"
> >
> >
> ^---- This is the subject of the root CNRS CA. Only Root CNRS CA has
> this subject
>
> >accepted_credentials "/C=FR/O=CNRS/CN=Datagrid-fr"
> >
> >
> ^---- this is the subject of our CNRS sub-CA. Only CNRS Datagrid-fr
> sub-CA has this subject
>
> >accepted_credentials "/C=FR/O=CNRS/CN=GRID-FR"
> >
> >
> ^---- Again, this is the subject of our new CNRS sub-CA. Only CNRS
> GRID-FR sub-CA has this subject
>
> >accepted_credentials "/C=FR/O=CNRS/CN=CNRS-Projets"
> >
> >
> ^---- Same
>
> >accepted_credentials "/*" <===================================
> >
> >
> ^----- Subjects issued by Datagrid-fr CA
>
> >accepted_credentials "/O=GRID-FR/*"
> >
> >
> ^----- Subjects issued by GRID-FR CA
>
> >accepted_credentials "/C=CY/O=CyGrid/*"
> >accepted_credentials "/C=CY/O=CyGrid/*"
> >accepted_credentials "/DC=org/DC=DOEGrids/OU=Certificate
Authorities/*"
> >
> >
> Bye
> Sophie
>
> >etc.
> >
> >cheers
> >Mario
> >
> >
> >
|