Open andreaceccanti opened 7 years ago
msalle
commented
7 years ago Just a small question, why not call it subject-x509-issuer ? (which is what it is called in the authz-interop profile, see 6.1.4 in the authz-interop profile) It has the same semantics.
andreaceccanti
commented
7 years ago Hi Mischa, I liked the idea of the X509 prefix in the attribute name, which is also used for the new X509-authn-profile attribute. I have no strong feelings about this anyway.
msalle
commented
7 years ago Hi, I also have no very strong feelings about it, but thought that it might be good to reuse an existing name if it already has the same semantics?
andreaceccanti
commented
7 years ago Well, in theory yes, in practice we use a different XACML profile anyway.
msalle
commented
7 years ago Sure, that's also why I don't have a strong preference (-; On the other hand, we'll probably create also a shortened attribute for the PAP, where you cannot see the profile name. The other EMI/gLite attribute, which contains all issuers of all certs (incl. even proxy DNs), is called subject-issuer or emi-subject-issuer. As long as we make it clear that this is a different one, it should be ok. I'll leave it to you what to do.
The X509 PIPs that currently process X.509 certificate in incoming request set the subject-issuer attribute, which holds the subjects of the certificates in the chain, up to the trust anchor, that signed the EEC included in the authorization request.
We add another attribute, the x509-subject-issuer attribute, which holds the subject of the first certifcate that signed the EEC, to simplify the implementation work for #21 .