-----Original Message----- From: David Chadwick [mailto:d.w.chadwick@kent.ac.uk] Sent: Friday, October 14, 2005 9:50 AM ...

Cowles, Robert D. wrote:

...

The gridmapfile gives no clue as to CA or to VO.

Also to the time of day, or user location, or request parameters, or hundreds of other things that might place conditions on what the user is allowed to do. So gridmap files were a nice first shortcut to get something working fast (a bit like the GridShib mapping file today)but they cannot realistically be expected to provide a long term solution

regards

David

No .. but they seem very "sticky" and difficult to get rid of. I am also aware of sites adding CA's to the trusted list without understanding the implications of having a "trusted CA" that had no signing policy constraints .... I could be wrong -- if a CA doesn't appear in the signing policy file, is it unconstrained or competely constrained? (if couse, if the latter, the site is likely to add an unconstrained entry to get things working rather than try to figure out the proper constraints.) BC