Yes, thats what I meant I guess we just need two because of some legacy production systems?! When I think about opening a TLS I think the following options exist: (A) I use a GSI Proxy to establish a GSI-based TLS connection each hop creates a new proxy-pair. (B) I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection (which included C) each hop creates new proxy-pair (C) I use a full end-entity certificate to establish a TLS connection Would you agree on this one with me and what do others think, e.g. gLite? Thanks, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender) From: weizhong qiang [mailto:weizhongqiang@gmail.com] Sent: Friday, March 27, 2009 1:46 PM To: Morris Riedel Cc: Aleksandr Konstantinov; pgi-wg@ogf.org Subject: Re: [Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ 2009/3/27 Morris Riedel <m.riedel@fz-juelich.de> Hi,
- Of course. "Full certificate" is just an extreme case of proxy
certificate - like table without legs. Unfortunately, we heard earlier that this is not generally the case since GSI proxy-based TLS changes also the wire or handshaking process while I agree with end-entity TLS is a subset (as chain length 0 proxy) of normal TLS. However, in practical works I have done in scenarios - I learned we have to support both. So I see that we have to support both?! There are at least two "both" from my understanding here: 1, in terms of certificate itself, both full X.509 and proxy certificate; and support means the verification of certificate, and only normal TLS wire protocol is used. Which you agree from your sentence, I think. 2, in terms of wire protocol, both TLS and GSI, which practically are incompatible. I guess your question is about this one. I propose we can have two profiles about this, while mentioning GSI (wire protocol) profile is only for legacy reason, but is not recommended. Weizhong Qiang Take care, Morris