Grid Security Infrastructure (GSI) v2: Proxy Definitions and Behavior

Definitions of Limited and Full Proxy

Full Proxy: A Full Proxy is a proxy that has been created by grid-proxy-init or a proxy created from such a proxy by normal delegation mechanisms.
Limited Proxys: A Limited Proxy is a proxy that is created from a Full Proxy when it delegated with the limited delegation mechanism. The first time a proxy is created by the limited delegation mechanism a level 1 Limited Proxy is created. Any subsequent delegation (limited or full) of a level N Limited Proxy creates a level N+1 limited proxy.

Full Delegation: Full delegation is the default with the GSI library when delegation is requested (note this may vary with individual applications). Full delegation of a Full Proxy results in a Full Proxy on the remote side. Full delegation of a level N Limited Proxy results in a level N+1 Limited Proxy.
Limited Delegation: Limited delegation is the result of performing delegation with the GSI library when the GSS_C_GLOBUS_LIMITED_DELEG_PROXY_FLAG is also given. Limited Delegation of a Full Proxy results in a level 1 Limited Proxy. Limited delegation of a level N Limited Proxy results in a level N+1 Limited Proxy.

When performing GSI authentication there are three modes of operation:

Default: In this mode a Full Proxy or a level 1 Limited Proxy will be accepted for authentication.
GSS_C_GLOBUS_LIMITED_PROXY_FLAG: With this flag only a Full Proxy will be accepted for authentication. This mode should be used by applications that do job start-up (e.g. the gatekeeper and sshd).
GSS_C_GLOBUS_LIMITED_PROXY_MANY_FLAG: With this flag any Full Proxy or Limited Proxy (of any level) will be accepted. This mode is currently used for data channel authentication with GridFTP.