Hi Brian,
Thanks and yes that is what I meant, and I think we already had a campaign to ask sites to use subjectAltName...
In terms of disallowing delegation if client choose to trust DNS, I tend to think it is the client's responsibility to do what is right, not ours. But I don't think I have a strong preference one way or the other. Perhaps such a stricter rule will also help reduce negative PR down the road. So ... OK.
regards,
--
Wei Yang | [log in to unmask] | 650-926-3338(O)
?-----Original Message-----
From: Brian P Bockelman <[log in to unmask]>
Reply-To: xrootd/xrootd <[log in to unmask]>
Date: Thursday, October 25, 2018 at 7:24 AM
To: xrootd/xrootd <[log in to unmask]>
Cc: Subscribed <[log in to unmask]>
Subject: Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)
Hi
@msalle <https://github.com/msalle> -
I interpreted Wei's input as basically "do RFC2818 first; emit a warning; then, based on configuration, decide whether to fallback to DNS (and/or other overrides)".
The only "tweak" I'd make is to disallow the client from delegating proxies (e.g., a new use case) if it trusted DNS. As we add proxy delegation to the Xrootd client, I'd prefer to start out right.
Brian
‹
You are receiving this because you are subscribed to this thread.
Reply to this email directly,
view it on GitHub <https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565>, or
mute the thread <https://github.com/notifications/unsubscribe-auth/AE9TA5VZ6NALsXzaORNDi_Xrzev6jdyuks5uocmLgaJpZM4Xebkg>.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@bbockelm in #841: Hi @msalle -\r\n\r\nI interpreted Wei's input as basically \"do RFC2818 first; emit a warning; then, based on configuration, decide whether to fallback to DNS (and/or other overrides)\".\r\n\r\nThe only \"tweak\" I'd make is to disallow the client from delegating proxies (e.g., a new use case) if it trusted DNS. As we add proxy delegation to the Xrootd client, I'd prefer to start out right.\r\n\r\nBrian"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565"}}}[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565",
"url": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
},
{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"hideOriginalBody": "false",
"originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
"title": "Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)",
"sections": [
{
"text": "",
"activityTitle": "**Brian P Bockelman**",
"activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
"activitySubtitle": "@bbockelm",
"facts": [
]
}
],
"potentialAction": [
{
"name": "Add a comment",
"@type": "ActionCard",
"inputs": [
{
"isMultiLine": true,
"@type": "TextInput",
"id": "IssueComment",
"isRequired": false
}
],
"actions": [
{
"name": "Comment",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
}
]
},
{
"targets": [
{
"os": "default",
"uri": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565"
}
],
"@type": "OpenUri",
"name": "View on GitHub"
},
{
"name": "Unsubscribe",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}"
}
],
"themeColor": "26292E"
}
]
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@wyang007 in #841: Hi Brian,\n\nThanks and yes that is what I meant, and I think we already had a campaign to ask sites to use subjectAltName...\n\nIn terms of disallowing delegation if client choose to trust DNS, I tend to think it is the client's responsibility to do what is right, not ours. But I don't think I have a strong preference one way or the other. Perhaps such a stricter rule will also help reduce negative PR down the road. So ... OK.\n\nregards,\n--\nWei Yang | [log in to unmask] | 650-926-3338(O)\n\n?-----Original Message-----\nFrom: Brian P Bockelman \[log in to unmask]\u003e\nReply-To: xrootd/xrootd \[log in to unmask]\u003e\nDate: Thursday, October 25, 2018 at 7:24 AM\nTo: xrootd/xrootd \[log in to unmask]\u003e\nCc: Subscribed \[log in to unmask]\u003e\nSubject: Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)\n\n Hi \n @msalle \u003chttps://github.com/msalle\u003e -\n I interpreted Wei's input as basically \"do RFC2818 first; emit a warning; then, based on configuration, decide whether to fallback to DNS (and/or other overrides)\".\n The only \"tweak\" I'd make is to disallow the client from delegating proxies (e.g., a new use case) if it trusted DNS. As we add proxy delegation to the Xrootd client, I'd prefer to start out right.\n Brian\n ‹\n You are receiving this because you are subscribed to this thread.\n Reply to this email directly, \n view it on GitHub \u003chttps://github.com/xrootd/xrootd/issues/841#issuecomment-433071565\u003e, or \n mute the thread \u003chttps://github.com/notifications/unsubscribe-auth/AE9TA5VZ6NALsXzaORNDi_Xrzev6jdyuks5uocmLgaJpZM4Xebkg\u003e.\n {\"api_version\":\"1.0\",\"publisher\":{\"api_key\":\"05dde50f1d1a384dd78767c55493e4bb\",\"name\":\"GitHub\"},\"entity\":{\"external_key\":\"github/xrootd/xrootd\",\"title\":\"xrootd/xrootd\",\"subtitle\":\"GitHub repository\",\"main_image_url\":\"https://assets-cdn.github.com/images/email/message_cards/header.png\",\"avatar_image_url\":\"https://assets-cdn.github.com/images/email/message_cards/avatar.png\",\"action\":{\"name\":\"Open in GitHub\",\"url\":\"https://github.com/xrootd/xrootd\"}},\"updates\":{\"snippets\":[{\"icon\":\"PERSON\",\"message\":\"@bbockelm in #841: Hi @msalle -\\r\\n\\r\\nI interpreted Wei's input as basically \\\"do RFC2818 first; emit a warning; then, based on configuration, decide whether to fallback to DNS (and/or other overrides)\\\".\\r\\n\\r\\nThe only \\\"tweak\\\" I'd make is to disallow the client from delegating proxies (e.g., a new use case) if it trusted DNS. As we add proxy delegation to the Xrootd client, I'd prefer to start out right.\\r\\n\\r\\nBrian\"}],\"action\":{\"name\":\"View Issue\",\"url\":\"https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565\"}}}[\n {\n \"@context\": \"http://schema.org\",\n \"@type\": \"EmailMessage\",\n \"potentialAction\": {\n \"@type\": \"ViewAction\",\n \"target\": \"https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565\",\n \"url\": \"https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565\",\n \"name\": \"View Issue\"\n },\n \"description\": \"View this Issue on GitHub\",\n \"publisher\": {\n \"@type\": \"Organization\",\n \"name\": \"GitHub\",\n \"url\": \"https://github.com\"\n }\n },\n {\n \"@type\": \"MessageCard\",\n \"@context\": \"http://schema.org/extensions\",\n \"hideOriginalBody\": \"false\",\n \"originator\": \"AF6C5A86-E920-430C-9C59-A73278B5EFEB\",\n \"title\": \"Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)\",\n \"sections\": [\n {\n \"text\": \"\",\n \"activityTitle\": \"**Brian P Bockelman**\",\n \"activityImage\": \"https://assets-cdn.github.com/images/email/message_cards/avatar.png\",\n \"activitySubtitle\": \"@bbockelm\",\n \"facts\": [\n \n ]\n }\n ],\n \"potentialAction\": [\n {\n \"name\": \"Add a comment\",\n \"@type\": \"ActionCard\",\n \"inputs\": [\n {\n \"isMultiLine\": true,\n \"@type\": \"TextInput\",\n \"id\": \"IssueComment\",\n \"isRequired\": false\n }\n ],\n \"actions\": [\n {\n \"name\": \"Comment\",\n \"@type\": \"HttpPOST\",\n \"target\": \"https://api.github.com\",\n \"body\": \"{\\n\\\"commandName\\\": \\\"IssueComment\\\",\\n\\\"repositoryFullName\\\": \\\"xrootd/xrootd\\\",\\n\\\"issueId\\\": 841,\\n\\\"IssueComment\\\": \\\"{{IssueComment.value}}\\\"\\n}\"\n }\n ]\n },\n {\n \"targets\": [\n {\n \"os\": \"default\",\n \"uri\": \"https://github.com/xrootd/xrootd/issues/841#issuecomment-433071565\"\n }\n ],\n \"@type\": \"OpenUri\",\n \"name\": \"View on GitHub\"\n },\n {\n \"name\": \"Unsubscribe\",\n \"@type\": \"HttpPOST\",\n \"target\": \"https://api.github.com\",\n \"body\": \"{\\n\\\"commandName\\\": \\\"MuteNotification\\\",\\n\\\"threadId\\\": 393853216\\n}\"\n }\n ],\n \"themeColor\": \"26292E\"\n }\n ]\n\n"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841#issuecomment-433289458"}}}
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433289458",
"url": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433289458",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
},
{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"hideOriginalBody": "false",
"originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
"title": "Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)",
"sections": [
{
"text": "",
"activityTitle": "**Wei Yang**",
"activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
"activitySubtitle": "@wyang007",
"facts": [
]
}
],
"potentialAction": [
{
"name": "Add a comment",
"@type": "ActionCard",
"inputs": [
{
"isMultiLine": true,
"@type": "TextInput",
"id": "IssueComment",
"isRequired": false
}
],
"actions": [
{
"name": "Comment",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
}
]
},
{
"targets": [
{
"os": "default",
"uri": "https://github.com/xrootd/xrootd/issues/841#issuecomment-433289458"
}
],
"@type": "OpenUri",
"name": "View on GitHub"
},
{
"name": "Unsubscribe",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}"
}
],
"themeColor": "26292E"
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
