Good point!
In theory:
Proxy certificate should be short-live (12 or 24 hours), attribute
certificate should be no longer than proxy certificate (shorter is ok),
any services or operations require long-live proxy certificate should
use my proxy server and my proxy server should be voms attribute
awareness so that it can renew not only proxy certificate but also
attribute certificate when required, and all services also need to be
voms attribute aware so that they can verify not only proxy certificate
but also voms attributes.
In reality (at moment):
Proxy certificates are 3-7 days long because there is no my proxy server
or my proxy server is not used by other services. Some services are not
voms attributes aware, that mean they do not recognise the voms
attributes. My proxy server is not attribute aware, so that it can not
renew attribute certificate on behalf of users if needed.
In fact, proxy certificate tells the system who you are (authentication)
and attribute certificate tells the system what you can do (your
capabilities) so that the system can authenticate you (by proxy
certificate) and also authorize you according to the attributes (by
attribute certificate and its local access control policy). It requires
that all services are attributes-awareness, but at moment it is not the
case.
Obviously we have a long way to go!
Regards,
Mingchao
-----Original Message-----
From: LHC Computer Grid - Rollout
[mailto:[log in to unmask]] On Behalf Of Burke, S
(Stephen)
Sent: 26 July 2007 21:42
To: [log in to unmask]
Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of
job.
LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Antun Balaz
said:
> there is another approach: all grid components may be changed so as to
> NOT accept proxies of any type with lifetime longer than, say, 24
> hours.
After a bit of thought (i.e. I may be wrong :) I think we could do it
with three things: all services should require VOMS attributes, myproxy
should be VOMS-aware so it can renew the VOMS attributes when it issues
proxies, and VOMS should reject requests if there is a long-lived proxy
in the chain unless the request comes from an approved myproxy.
> I think we don't have to wait first serious cases of abuse until this
> is streamlined :(
Unfortunately at the moment security is not seen as the main priority
(apart from finding ways of reducing it if it's too inconvenient ...)
Stephen
|