2009/3/27 Morris Riedel <m.riedel@fz-juelich.de>
Hi,
- Of course. "Full certificate" is just an extreme case of proxy certificate - like table without legs.
Unfortunately, we heard earlier that this is not generally the case since GSI proxy-based TLS changes also the wire or handshaking process while I agree with end-entity TLS is a subset (as chain length 0 proxy) of normal TLS.
However, in practical works I have done in scenarios - I learned we have to support both. So I see that we have to support both?!
There are at least two "both" from my understanding here: 1, in terms of certificate itself, both full X.509 and proxy certificate; and support means the verification of certificate, and only normal TLS wire protocol is used. Which you agree from your sentence, I think. 2, in terms of wire protocol, both TLS and GSI, which practically are incompatible. I guess your question is about this one. I propose we can have two profiles about this, while mentioning GSI (wire protocol) profile is only for legacy reason, but is not recommended. Weizhong Qiang
Take care, Morris