GT3 Grid Security Infrastructure (GSI): Proxy Policy Handling
Identity Determination
To determine the identity returned from the GSI libraries, the proxy certificate chain is walked from PC to EEC (i.e., "first certificate" is the proxy certificate not CA certificate):
- Note identity of first certificate that is either not a proxy or whose policy is not
'impersonation' or 'gt2-limited impersonation, the identity of that proxy is the identity returned by
GSI.
- Note any occurrences of 'gt2-limited impersonation' in chain before certificate with returned identity. If any of these policies occur, mark proxy as limited.
Examples:
Given the following chain the identity returned should be the identity of the EEC:
CA cert -> EEC -> Proxy 1 (Impersonation) -> Proxy 2 (Impersonation)
Given the following chain, the identity returned should be the identity of proxy #2:
CA cert -> EEC -> Proxy 1 (Impersonation) -> Proxy 2 (Independent) -> Proxy 3 (Impersonation)
Given the following chain, the identity returned should be the identity of proxy #1:
CA cert -> EEC -> Proxy 1 (Unrecognized policy) -> Proxy 2 (Impersonation)