[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] GSI question



Hi,

>From the doc http://research.cs.wisc.edu/htcondor/manual/v8.2/3_6Security.html:
"This example's one-way authentication implies that B is verifying the
identity of A, using the certificate A provides, and utilizing B's own
set of trusted CAs (Certification Authorities). Client A provides its
certificate (or proxy) to daemon B."

And after:
"When a daemon acts as the client within authentication, the daemon
needs a listing of those from which it will accept certificates. This
is done with GSI_DAEMON_NAME. This name is specified with the
following format"

This is controversial for me. GSI provides one-way auth, and the doc
says (first quote) that the client provides the certificate to the
server.

In the second quote, it says that the client needs the list of servers
who it'll accept certificates from.

And anyway, isn't this whole GSI_DAEMON_NAME redundant together with
the mapping+authz rules?