LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Antun Balaz
said:
> However, I believe it is possible to strip ACs before trying
> renewing them,
If you steal a proxy you only have the private key for the final cert in
the chain, so you have to present the whole chain to prove your right to
the DN. The ACs are embedded in the cert so you can't remove (or alter)
them without invalidating the proxy.
Stephen
|