> > It turns out that if I simulate this "bad" behaviour (albeit different
> with VOs) I am able to
> > authenticate and am authorised using the injected assertion. It is this
> which I believe is wrong.
>
> Why? The ACs correctly assert that you're a member of all those VOs - as
> long as the AC is validly issued why should a service reject it? The fact
> that the ACs are in different places in the chain isn't relevant, proxies
> may go through many delegation steps so you need any VOMS assertions to
> continue to be valid, and the existence of proxy renewal services implies
> that VOMS must be prepared to issue ACs to multiply-delegated proxies
> (although, I would hope, not to limited proxies - but I wouldn't bet much
> on it ...)
I am incline to agree with Stephen, with the condition of full and legitimate
delegation, full delegation means the level of delegation does not matter as
proxy at any level bears the same right as the original one.
However, how will middleware handle the mixture of ACs in different level of
delegation is not clear for me, probably the behavior is undefined.
Cheers,
Mingchao
|