 |
 |
Hi, Mario David wrote: >Hi >I have the following question >I have in my proxy machine the following /etc/myproxy.conf >.... >accepted_credentials "/C=FR/O=CNRS/CN=CNRS-Projets" >accepted_credentials "/*" >.... >this entry "/*" comes from >6b4ddd18.signing_policy file > >cat 6b4ddd18.signing_policy ># EACL French CA, DataGrid level: Datagrid-fr >access_id_CA X509 '/C=FR/O=CNRS/CN=Datagrid-fr' >pos_rights globus CA:sign >cond_subjects globus '"/*"' > >So, this entries allows each and everyone to put crendentials in the proxy >server > Only for certificates issued by this CA >(I think I have no problem with that, but I am not a security expert). >the question is why on earth give the script >/etc/init.d/myproxy-generate-config.pl the trouble of going through >all the *.signing_policy to take out the subjects which are allowed to put >credentials in the proxy server. >or should we remove everytime we make an upgrade >the ca_CNRS-DataGrid-0.32-1 rpm ? > > This will change nothing... The CA CNRS Datagrid-fr will finish at the end of December 2005. CNRS GRID-FR is the new CNRS CA for Grid projects, this CA issues certificates since April 2005. Perhaps, you could ignore the Datagrid-fr CA. Sophie, CNRS CA administrator >cheers > >Mario David > > >