 |
 |
Mike Jones [mailto:[log in to unmask]] said: > This argument rears its head every couple of years and seems to be similar to the default deny vs default allow argument which is oft debated in > relation to firewall rules. Indeed - if the credential doesn't expire you have to explicitly revoke it and be sure that the mechanism works. Certificate revocation is slow and cumbersome and there is currently no revocation for VOMS, so you'd be relying on Argus banning or similar to be deployed and working everywhere. In any case this seems a bit like debating whether the UK should switch to driving on the right. A system like this would need co-ordinated changes in all the middleware and in the operational tools and procedures - consider how long it took to make the SHA 2 transition, which was trivial by comparison. Stephen