Hi @gganis!

@abh3 asked me to take a quick look at this. I don't have the time right now to do a thorough test so first impressions from reading the code:

0. The double-negative (disabling no proxy) is a bit confusing. Maybe default to XrdGSICREATEPROXY=1 and ask folks to turn it off?
1. What's the latest coding style guides for xrootd? In particular, I see a few places where 0 is used instead of nullptr. They're effectively equivalent in this use case but I find nullptr more explicit / modern styling.
2. It seems that "proxy" versus "cert/key" modes are mutually exclusive. That is, if "no proxy" mode is activated then a cert/key is required (and otherwise cert/key are never accepted.

Item (2) seems relatively restrictive. Other clients, such as the traditional globus-* ones, will cleanly fall back to the cert/key if a proxy isn't present, no?

I don't know the driving use case here but it seems this would be more familiar:

1. If XrdSecGSICREATEPROXY=1 (default), a proxy is auto-generated from the cert/key pair if one is not found.
2. If XrdSecGSICREATEPROXY=0, a proxy is used if present. Otherwise, the cert/key pair is used if present.

Finally - what are the forward / backward compatibility concerns here? Can older servers handle a cert directly?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1