-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce the x509-subject-issuer attribute #22
Comments
Just a small question, why not call it subject-x509-issuer ? (which is what it is called in the authz-interop profile, see 6.1.4 in the authz-interop profile) It has the same semantics. |
Hi Mischa, I liked the idea of the X509 prefix in the attribute name, which is also used for the new X509-authn-profile attribute. I have no strong feelings about this anyway. |
Hi, |
Well, in theory yes, in practice we use a different XACML profile anyway. |
Sure, that's also why I don't have a strong preference (-; On the other hand, we'll probably create also a shortened attribute for the PAP, where you cannot see the profile name. The other EMI/gLite attribute, which contains all issuers of all certs (incl. even proxy DNs), is called |
The X509 PIPs that currently process X.509 certificate in incoming request set the subject-issuer attribute, which holds the subjects of the certificates in the chain, up to the trust anchor, that signed the EEC included in the authorization request.
We add another attribute, the x509-subject-issuer attribute, which holds the subject of the first certifcate that signed the EEC, to simplify the implementation work for #21 .
The text was updated successfully, but these errors were encountered: