I'll answer this in dribs and drabs as I figure out the issues so as to be speedy.

a) The reason that spacechar was not applied is that we don't apply it for "=" (anyuser) or '*" (alluser). I can't recall what the reasoning behind that restriction. So, please think about it and how those two rules are used and let me know your thoughts on whether we should lift the restriction. However, before you do that, consider point (b).

b) The dn hash is a specific feature of gsi authentication. Given that http does not use gsi, it never develops a hash. It's not clear whether we should change that or not. I suppose we could make it an option. Thoughts?

Now as for using the dn. It's problematic because as far as I can tell the order of the elements in the dn field is not standardized. Additionally, some of these are optional. So, doing a simple comparison is not sufficient. You have to parse the DN and compare element by element. That's something we don't do which makes the dn field not particularly useful. That also implies that the dn hash is also subject to this problem (though I will have to verify that). Generally, people have opted to map to a name using whatever algorithm is appropriate for the experiment. Consequently, there is no single way to codify the use of the dn field.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1268#issuecomment-786247467", "url": "https://github.com/xrootd/xrootd/issues/1268#issuecomment-786247467", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1