Hi Igor,
The renewal process requires a different interface to be used on the
myproxy. Only authorized resource brokers may perform the renewal on a
myproxy. Which is one of the setup difficulties, since not all resource
brokers are authorized at all myproxy services.
As I see it, there seems to be a different issue going on here. There is
a VOMS aware renewal service. It comes with the glite WMS. Not everybody
is that keen on upgrading just yet to that AFAIK and so we still have
the old type RB without the VOMS aware renewal. As I recently learned,
there is such a back port available for this functionality to the older
RB type.
It is a good idea to use the short lived certificates and also shirt
lived VOMS credentials. Is there a technical reason why the VOMS aware
renewal service is not available yet on the classic RBs? I think it
would be very convenient for the original issue, which was the not being
able to renew VOMS credentials.
Oscar
Sfiligoi Igor wrote:
> Hi Stefan.
>
> Then the long lived proxy is already on the myproxy.
>
> All you need to do is steal the short lived proxy and use the same
> myproxy to renew it for as long as the long lived proxy allows.
>
> Am I wrong?
>
> Igor
>
> Burke, S (Stephen) wrote:
>> Sfiligoi Igor [mailto:[log in to unmask]] said:
>>> Once that is possible, what prevents an impostor to upload the stolen
>>> long lived proxy into a MyProxy server and use the MyProxy to obtain
>>> short live proxies for submission on the Grid?
>>
>> Where would someone steal a long-lived proxy? In this model the only
>> place you would have such proxies is in the myproxy, and temporarily on
>> the UI. If either of those is hacked you have big
>> problems anyway.
>>
>> Stephen
|