LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Antun Balaz
said:
> there is another approach: all grid components may be
> changed so as to NOT accept proxies of any type with lifetime
> longer than, say, 24 hours.
After a bit of thought (i.e. I may be wrong :) I think we could do it
with three things: all services should require VOMS attributes, myproxy
should be VOMS-aware so it can renew the VOMS attributes when it issues
proxies, and VOMS should reject requests if there is a long-lived proxy
in the chain unless the request comes from an approved myproxy.
> I think we don't have to wait first serious cases of abuse
> until this is streamlined :(
Unfortunately at the moment security is not seen as the main priority
(apart from finding ways of reducing it if it's too inconvenient ...)
Stephen
|