Hi @gganis! @abh3 asked me to take a quick look at this. I don't have the time right now to do a thorough test so first impressions from reading the code: 0. The double-negative (disabling no proxy) is a bit confusing. Maybe default to `XrdGSICREATEPROXY=1` and ask folks to turn it off? 1. What's the latest coding style guides for xrootd? In particular, I see a few places where `0` is used instead of `nullptr`. They're effectively equivalent in this use case but I find `nullptr` more explicit / modern styling. 2. It seems that "proxy" versus "cert/key" modes are mutually exclusive. That is, if "no proxy" mode is activated then a cert/key is _required_ (and otherwise cert/key are never accepted. Item (2) seems relatively restrictive. Other clients, such as the traditional `globus-*` ones, will cleanly fall back to the cert/key if a proxy isn't present, no? I don't know the driving use case here but it seems this would be more familiar: 1. If `XrdSecGSICREATEPROXY=1` (default), a proxy is auto-generated from the cert/key pair if one is not found. 2. If `XrdSecGSICREATEPROXY=0`, a proxy is used if present. Otherwise, the cert/key pair is used if present. Finally - what are the forward / backward compatibility concerns here? Can older servers handle a cert directly? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/1493#issuecomment-899688379 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1