Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of Mike Jones said:
> It turns out that if I simulate this "bad" behaviour (albeit different with VOs) I am able to
> authenticate and am authorised using the injected assertion. It is this which I believe is wrong.
Why? The ACs correctly assert that you're a member of all those VOs - as long as the AC is validly issued why should a service reject it? The fact that the ACs are in different places in the chain isn't relevant, proxies may go through many delegation steps so you need any VOMS assertions to continue to be valid, and the existence of proxy renewal services implies that VOMS must be prepared to issue ACs to multiply-delegated proxies (although, I would hope, not to limited proxies - but I wouldn't bet much on it ...)
Stephen
|