Hi Christopher, I can only offer guesses and some pointers...
One scenario is a Java WS-GRAM client using the GT4 Delegation Service. In this case, I believe the serial numbers for proxy certificates are set randomly in org.globus.gsi.bc.BouncyCastleCertProcessingFactory.createProxyCertificate() to be equal to the number added in the new /CN=#### element in the proxy certificate (see the serialNum and delegDN variables in the code). It's possible the Java random number generator isn't being properly seeded and is giving the same number multiple times, which could be a bug... Here's a link to the code: http://viewcvs.globus.org/viewcvs.cgi/jglobus/src/org/globus/gsi/bc/BouncyCastleCertProcessingFactory.java?root=Java+COG&view=markup If you're using a C client, I believe the serial numbers are set to the hash of the public key in globus_l_gsi_proxy_sign_key() in gsi/proxy/proxy_core/source/library/globus_gsi_proxy.c. In this case, be aware that the GT4 Delegation Service re-uses keys (http://www.globus.org/toolkit/docs/4.0/security/delegation/admin-index.html#id2529246), and this could explain why you're seeing the same serial number over and over again. Considering that RFC 3820 says: The serial number of a Proxy Certificate (PC) SHOULD be unique amongst all Proxy Certificates issued by a particular Proxy Issuer. However, a Proxy Issuer MAY use an approach to assigning serial numbers that merely ensures a high probability of uniqueness. It seems the approach of generating serial numbers by hashing the public key, when combined with the re-use of keys in the GT4 Delegation Service, results in non-compliance with that SHOULD (i.e., it sounds like a bug). If you're able to confirm any of my guesses, please do post your results to the list. -Jim On 1/20/11 1:51 AM, Christopher Kunz wrote: > Hi, > > in working with my Auditing project, I have noticed that the proxies > created automatically by GT 4.0 WS-GRAMs do not seem to have unique > serials, instead I can see that a lot of times serials seem to be > reused. In my experiments, the serial "2031473274" seems to be used for > authentication and delegation proxies a lot. > > Is this a known issue? Is this configurable? > > Regards, > > --ck
