On Tue, Jul 24, 2007 at 07:01:18PM +0200, Antun Balaz wrote:
> Hi to all,
>
> This is certainly not a way to go! In order to increase the allowed lifetime
> of a VOMS proxy for EGEE VOs, the permission must be asked from Joint Security
> Policy Group (JSPG), since this is clearly related with the security issues
> (voms-proxies can be subjects of abuse; the longer their lifetime, the longer
> possible abuse).
I am probably missing something since I haven't looked clearly at VOMS
but AFAIK the VOMS servers just adds an attribute to the user proxy. It
is that attribute that expires and not the proxy. Since the attribute is
only there to say "this proxy (if still valid) has X role" I can not
really see how it can be abused beyond the delay that'll you get when a
role is removed from a user. Surely what is important is the proxy
(which can still have any lifetime) and not the attribute. What abuse
scenarios do you have in mind? Maybe I am missing something somewhere.
Cheers,
Kostas
|