Ian jonhson schrieb: > Hi, > > As we know, a user owned certificate can delegate his proxy to finish > hit grid task. If the applications with user's proxy run in a node > need to access remote data node, it have to create next level proxy by > its current proxy. > > How to create next proxy? If you implement the codes only by Openssl, > what should be paid attention ? I just know that next proxy should > have a new DN attached with a serial number and new time stamp limited > by original proxy. > > Could anybody give me some advices, or example codes? >
There's only a couple things you need to watch: 1. Copy CN from old proxy and as you said, add another DN=proxy. Some Grid components even add DN=limited proxy to denote that the proxy is supposed to be the last derivation. 2. Depending on the implementation, the serial is not important, proxies aren't revokable anyway. In Globus/gLite's GSI implementation, the serial is not checked. 3. The new proxy must not have a smaller notBefore or a larger notAfter. 4. From what I observed, key length is not important either - the new proxy can even have a bigger key length than the old one. 4. Sign the new proxy with the old one. I used the example code from "Network security with OpenSSL": http://www.oreilly.com/catalog/openssl/index.html Check out the EX10-6 file from the example code tarball at http://www.opensslbook.com/NSwO-1.3.tar.gz and you're all set (with some minor modifications). HTH, --ck ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
