Currently GSI C and GSI Java process host and service certificates differently.
In GSI C, [EMAIL PROTECTED] and [EMAIL PROTECTED] are treated as equal. That is, the string prior to @ is ignored and if the hostname matches, the GSS Names are treated as equal. So all service certificates and host certificate for a given host will match. In GSI Java, the strings prior to @ are also expected to match. If no service piece is specified, then host is assumed. That is [EMAIL PROTECTED] matches hostname, but not [EMAIL PROTECTED] Is there some specification that covers the expected behavior? I see merit to [EMAIL PROTECTED] not matching [EMAIL PROTECTED], and keeping the GSI Java behavior. The host certificates are typically maintained and stored in privilege account, and the service certificate allows for a client to do "automated" authorization with just the service name. But we would like to hear if there are groups that leverage the GSI C behavior and any thoughts on what we want as default for both implementations. Thanks, Rachana
