But, with a given valid proxy (voms AC added or not), I can ask for a new VOMS AC (no password needed) and chain the proxy...
So, unless the VO(s) of the user threw the person off their system, a proxy can always become "voms" again...
Cheers
Gidon
On Wed, 25 Jul 2007, Antun Balaz wrote:
> Hi Kostas,
>
> Surely you are right - the basic proxy (grid-proxy part) will still be valid
> for any period user decided to create it for, and just the voms attributes
> will expire after 24 hours due to the limitations of the VOMS server that
> should be in place. In fact, lifetimes of the underlying proxy and its voms
> attributes can be set separately (using -valid and -vomslife switches).
>
> In practice, where still authorization for many things depends on classical
> static (non-VOMS enabled) grid-mapfile, this means that the potential abuser
> would not have any problems utilizing the voms-proxy with voms attributes
> expired (basically, using it as a grid-proxy). Of course, if a person is a
> member of two or more VOs, just one VO could be used by the abuser (and it
> would depend on the local mapping, which can vary from site to site). However,
> orientation towards VOMS-enabled services should prevent this in the future -
> when authorization on all Grid services is made VOMS-enabled, possible
> problems would disappear.
>
> So, currently, although voms-proxies with expired voms attributes still can be
> abused, in no way VOs should be encouraged to extend allowed voms lifetimes.
> This would again develop bad habits which slowly just started to change...
>
> Best regards, Antun
>
> -----
> Antun Balaz
> Research Assistant
> E-mail: [log in to unmask]
> Web: http://scl.phy.bg.ac.yu/
>
> Phone: +381 11 3713152
> Fax: +381 11 3162190
>
> Scientific Computing Laboratory
> Institute of Physics, Belgrade, Serbia
> -----
>
> ---------- Original Message -----------
> From: Kostas Georgiou <[log in to unmask]>
> To: [log in to unmask]
> Sent: Wed, 25 Jul 2007 15:03:12 +0100
> Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of job.
>
> > On Tue, Jul 24, 2007 at 07:01:18PM +0200, Antun Balaz wrote:
> >
> > > Hi to all,
> > >
> > > This is certainly not a way to go! In order to increase the allowed lifetime
> > > of a VOMS proxy for EGEE VOs, the permission must be asked from Joint Security
> > > Policy Group (JSPG), since this is clearly related with the security issues
> > > (voms-proxies can be subjects of abuse; the longer their lifetime, the longer
> > > possible abuse).
> >
> > I am probably missing something since I haven't looked clearly at
> > VOMS but AFAIK the VOMS servers just adds an attribute to the user
> > proxy. It is that attribute that expires and not the proxy. Since
> > the attribute is only there to say "this proxy (if still valid) has
> > X role" I can not really see how it can be abused beyond the delay
> > that'll you get when a role is removed from a user. Surely what is
> > important is the proxy
> > (which can still have any lifetime) and not the attribute. What
> > abuse scenarios do you have in mind? Maybe I am missing something somewhere.
> >
> > Cheers,
> > Kostas
> ------- End of Original Message -------
>
--------------------------------------------------
Dr. Gidon Moont
High Energy Physics Group, The Blackett Laboratory
Imperial College London, South Kensington Campus
Prince Consort Road, LONDON SW7 2BW
Tel: +44 (0)207 594 7810
http://gridportal.hep.ph.ic.ac.uk/
|