2009/3/27 Morris Riedel
<m.riedel@fz-juelich.de>
Hi,
>- Of course. "Full certificate" is just an extreme case of proxy
certificate - like table without legs.
Unfortunately, we heard earlier that this is not generally the case since
GSI proxy-based TLS changes also the wire or handshaking process while I
agree with end-entity TLS is a subset (as chain length 0 proxy) of normal
TLS.
However, in practical works I have done in scenarios - I learned we have to
support both. So I see that we have to support both?!
There are at least two "both" from my understanding here:
1, in terms of certificate itself, both full X.509 and proxy certificate; and support means the verification of certificate, and only normal TLS wire protocol is used.
Which you agree from your sentence, I think.
2, in terms of wire protocol, both TLS and GSI, which practically are incompatible.
I guess your question is about this one.
I propose we can have two profiles about this, while mentioning GSI (wire protocol) profile is only for legacy reason, but is not recommended.
Weizhong Qiang
Take care,
Morris