Hi Albert,

Correct, while TLS would have been preferable the additional safeguards put in place to protect the rendezvous token made it highly unlikely to be subverted (you would need to accomplish at least three other subversion before the token became vulnerable). Now that TLS is widely available nothing prevents the token being transmitted using TLS, though for backward compatibility, it's not required.

As you state it, the door is not in a position to use the rendezvous token presented by the destination since it needs to authenticate the destination first. So, if that's how the code sits then, yes, without skipping authorization in the presence of a token, it would not work. Mind you rendezvous tokens are only meant to be used for pull requests so they are incapable of performing and destructive action.

So, presumably you are wondering that one could get around the problem by having the destination use a JWT along with the rendezvous token. The issue here is how does one get the JWT? I was told that it can't be the requesting clients JWT as these are not delegable, though I still don't see what prevents them from being used by someone else, hence why they need TLS. The destination server is also not really in a position of getting a JWT. Seems like an issue here.

Of course, that all hinges on whether the requesting client's JWT cannot be used by the destination server. If it can be (or at least if the client can get a delegable token) then, yes, we could handle the rendezvous in that way. That said, why bother with a rendezvous token at all since we could do the same thing with JWT's can't we?

So, in the end we need to get all of this straightened out to figure out the positioning of a rendezvous TPC. Maybe @bbockelm will see this post and expand on how a requesting client's JWT can and cannot be used in a TPC context by the destination server.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: <xrootd/xrootd/issues/1584/1076971468@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1584#issuecomment-1076971468", "url": "https://github.com/xrootd/xrootd/issues/1584#issuecomment-1076971468", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1