LISTSERV 16.5 - XROOTD-DEV Archives

Hi Brian,

Thanks and yes that is what I meant, and I think we already had a campaign to ask sites to use subjectAltName...

In terms of disallowing delegation if client choose to trust DNS, I tend to think it is the client's responsibility to do what is right, not ours. But I don't think I have a strong preference one way or the other. Perhaps such a stricter rule will also help reduce negative PR down the road. So ... OK.

regards,
--
Wei Yang  |  [log in to unmask]  |  650-926-3338(O)

?-----Original Message-----
From: Brian P Bockelman <[log in to unmask]>
Reply-To: xrootd/xrootd <[log in to unmask]>
Date: Thursday, October 25, 2018 at 7:24 AM
To: xrootd/xrootd <[log in to unmask]>
Cc: Subscribed <[log in to unmask]>
Subject: Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate  (#841)

    Hi 
    @msalle <https://github.com/msalle> -
    I interpreted Wei's input as basically "do RFC2818 first; emit a warning; then, based on configuration, decide whether to fallback to DNS (and/or other overrides)".
    The only "tweak" I'd make is to disallow the client from delegating proxies (e.g., a new use case) if it trusted DNS. As we add proxy delegation to the Xrootd client, I'd prefer to start out right.
    Brian
    ‹
    You are receiving this because you are subscribed to this thread.
    Reply to this email directly, 
    view it on GitHub <https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565>, or 
    mute the thread <https://github.com/notifications/unsubscribe-auth/AE9TA5VZ6NALsXzaORNDi_Xrzev6jdyuks5uocmLgaJpZM4Xebkg>.
    {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@bbockelm in #841: Hi @msalle -\r\n\r\nI interpreted Wei's input as basically \"do RFC2818 first; emit a warning; then, based on configuration, decide whether to fallback to DNS (and/or other overrides)\".\r\n\r\nThe only \"tweak\" I'd make is to disallow the client from delegating proxies (e.g., a new use case) if it trusted DNS.  As we add proxy delegation to the Xrootd client, I'd prefer to start out right.\r\n\r\nBrian"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565"}}}[
    {
    "@context": "http://schema.org",
    "@type": "EmailMessage",
    "potentialAction": {
    "@type": "ViewAction",
    "target": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565",
    "url": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565",
    "name": "View Issue"
    },
    "description": "View this Issue on GitHub",
    "publisher": {
    "@type": "Organization",
    "name": "GitHub",
    "url": "https://github.com"
    }
    },
    {
    "@type": "MessageCard",
    "@context": "http://schema.org/extensions",
    "hideOriginalBody": "false",
    "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
    "title": "Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate  (#841)",
    "sections": [
    {
    "text": "",
    "activityTitle": "**Brian P Bockelman**",
    "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
    "activitySubtitle": "@bbockelm",
    "facts": [
    
    ]
    }
    ],
    "potentialAction": [
    {
    "name": "Add a comment",
    "@type": "ActionCard",
    "inputs": [
    {
    "isMultiLine": true,
    "@type": "TextInput",
    "id": "IssueComment",
    "isRequired": false
    }
    ],
    "actions": [
    {
    "name": "Comment",
    "@type": "HttpPOST",
    "target": "https://api.github.com",
    "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
    }
    ]
    },
    {
    "targets": [
    {
    "os": "default",
    "uri": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565"
    }
    ],
    "@type": "OpenUri",
    "name": "View on GitHub"
    },
    {
    "name": "Unsubscribe",
    "@type": "HttpPOST",
    "target": "https://api.github.com",
    "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}"
    }
    ],
    "themeColor": "26292E"
    }
    ]



-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/841#issuecomment-433289458
########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1