I would suggest asking IGTF what behavior they would like to see. Von
Rachana Ananthakrishnan wrote: > Currently GSI C and GSI Java process host and service certificates > differently. > > In GSI C, [EMAIL PROTECTED] and [EMAIL PROTECTED] are treated as equal. That > is, > the string prior to @ is ignored and if the hostname matches, the GSS Names > are treated as equal. So all service certificates and host certificate for a > given host will match. > > In GSI Java, the strings prior to @ are also expected to match. If no > service piece is specified, then host is assumed. That is [EMAIL PROTECTED] > matches hostname, but not [EMAIL PROTECTED] > > Is there some specification that covers the expected behavior? > > I see merit to [EMAIL PROTECTED] not matching [EMAIL PROTECTED], and keeping > the > GSI Java behavior. The host certificates are typically maintained and stored > in privilege account, and the service certificate allows for a client to do > "automated" authorization with just the service name. > > But we would like to hear if there are groups that leverage the GSI C > behavior and any thoughts on what we want as default for both > implementations. > > Thanks, > Rachana >
