Bugzilla – Bug 1710
CoG delegated proxy modulus size
Last modified: 2005-12-05 17:10:45
You need to
before you can comment on or make changes to this bug.
I've run into an issue with the CoG proxy delegation performance. In the C
implimenation of the gssapi in globus 2.4 the delegated proxy modulus size
defaulted to 512 bits. (Infact for proxys explictly accepted with
gss_accept_delegation() I think they have to be 512 bits).
In the CoG gssapi the modulus size is calculated in a different way. The bit
size is taken from the accepting context. In our case this is a service context
initalised from a host certifiacte. Our host certificates happened to be 2048
bits, and we saw a considerable performance fall off for the calculation of the
certifiate request during proxy delegation.
I'd like to know if this is intentional behaviour - and if so whether it might
be worthwhile allowing for a mechanisum to specify the key size of the delagated
this looks like an interesting problem. I like to here your thought son this. We
naturally could add the parameter once Jerek is back, but I wonder if the C code
has actually something missing. As I am not so familiar with the C code, I am
curious to hear rour response to this. You can stop in my office and tell me, I
will than post a summary of the discussion.
This has been discussed internally a while ago. The key size should in deed be
configurable (In C an env var, in Java the same env var propagated as a
property?) as the required key size of the delegated credential depends on
external security requirements from the application layer and deployment
Is this suffienent e.g. if we have environments with different length and
I was wondering why in particular the proxy size was taken from the service
context. What about adding the possiblity of defaulting it to the size of the
last credential in the chain of the current connection?
My feeling is that it may be useful to be able to direct the beaviour from the
environment. A specific site may wish to enforce the policy of only producing
proxys with the same key size they have used for the service certificates. Or
(often, I would guess) they would be happy if the whole delegation chain was
kept at the same size.
I bumped up the severity, since it causes us some quite serious performance
My original intention was to let the client control the key size (use the top
most client certificate) but it looks like I mixed the variables.
Anyway, I'll wait for Sam's input to decide on client control or env. variable
(or both?) control before working on this.
I modified the code so that the key length is determined from the top most
client certificate (as it was supposed to be originally). Fix committed to cvs.