SSI should be as secure as any other shared secret protocol. I think what people don't like is that the proxy server's cert is used to access the file, which actually is not true. The proxy cert is merely used to a) make sure the server is allowed to access files, and b) the particular file being accessed was also accessible by the person requesting the copy. Tied into the proxy cert is the annoyance of getting another cert in the first place. I suppose even robocerts aren't easy enough to deal with. In tat respect, we are working to enable client cert delegation. But that isn't necessarily a long-lived solution since, as Wei points out, in the future x509 might not be the universal authentication protocol.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@abh3 in #694: SSI should be as secure as any other shared secret protocol. I think what people don't like is that the proxy server's cert is used to access the file, which actually is not true. The proxy cert is merely used to a) make sure the server is allowed to access files, and b) the particular file being accessed was also accessible by the person requesting the copy. Tied into the proxy cert is the annoyance of getting another cert in the first place. I suppose even robocerts aren't easy enough to deal with. In tat respect, we are working to enable client cert delegation. But that isn't necessarily a long-lived solution since, as Wei points out, in the future x509 might not be the universal authentication protocol."}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/694#issuecomment-389680737"}}}
{"@type":"MessageCard","@context":"http://schema.org/extensions","hideOriginalBody":"false","originator":"37567f93-e2a7-4e2a-ad37-a9160fc62647","title":"Re: [xrootd/xrootd] TPC requires server-to-server XRootDTransport authentication (#694)","sections":[{"text":"","activityTitle":"**Andrew Hanushevsky**","activityImage":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","activitySubtitle":"@abh3","facts":[]}],"potentialAction":[{"name":"Add a comment","@type":"ActionCard","inputs":[{"isMultiLine":true,"@type":"TextInput","id":"IssueComment","isRequired":false}],"actions":[{"name":"Comment","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"IssueComment\",\"repositoryFullName\":\"xrootd/xrootd\",\"issueId\":694,\"IssueComment\":\"{{IssueComment.value}}\"}"}]},{"name":"Close issue","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"IssueClose\",\"repositoryFullName\":\"xrootd/xrootd\",\"issueId\":694}"},{"targets":[{"os":"default","uri":"https://github.com/xrootd/xrootd/issues/694#issuecomment-389680737"}],"@type":"OpenUri","name":"View on GitHub"},{"name":"Unsubscribe","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"MuteNotification\",\"threadId\":328188433}"}],"themeColor":"26292E"}
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1