Provided by: lcmaps-plugins-verify-proxy_1.5.4-2_i386 bug


       lcmaps_verify_proxy.mod  -  LCMAPS plugin to verify a certificate chain
       including proxies



       [--allow-limited-proxy] [-certdir|-cadir <certificate_directory>]
       [--disallow-limited-proxy] [--discard_private_key_absence] [--max-
       proxy-level-ttl=<level>|--max-proxy-level-ttl@<level> <timeperiod>]
       [--max-voms-ttl <timeperiod>] [--never_discard_private_key_absence]
       [--only-enforce-lifetime-checks] [--require-limited-proxy]


       This plugin will test if the presented proxy certificate is  authentic.
       This  is  done  using  OpenSSL methods to verify the certificate chain,
       check if the End-Entity Certificate is not revoked by checking CRLs  or
       OCSP(*).  In an lcmaps.db (5) file it is advised to run this plug-in as
       the first plug-in and fail the policy if  there  is  no  other  way  of
       verifying the input credentials.

       Additional  this plug-in can impose other policies, like proxy and VOMS
       life-time restrictions or require that the certificate chain is offered
       in  a  certain  way,  e.g.  by offering a Limited proxy or (optionally)
       without a private key.

       The plug-in takes its input from the LCMAPS framework. The  certificate
       chain  is coming from the registered (derived) STACK_OF(X509) * and the
       private key (when available) is taken from the  registered  PEM  string

       A  certificate  chain  will  be  checked  and  verified by OpenSSL, but
       additionally to these checks this plug-in also performs semantic checks
       on  the  certificate  chain  based  on  how GT2, GT3 and RFC 3820 proxy
       certificates are to be constructed and used.


              When enabled allow the certificate chain to  contain  a  limited
              proxy certificate.  GT2, GT3 and RFC Limited proxies are treated
              as equal.

       -certdir | -cadir <certificate_directory>
              This option sets the directory used to find the CA certificates,
              CRLs  and  other  files  used in the verification process of the
              presented certificate chain.  Setting this option  is  muted  by
              the option --only-enforce-lifetime-checks.

              When  enabled all uses of limited proxies will be prohibited and
              treated as a failure condition. GT2, GT3 and RFC Limited proxies
              are treated as equal.

              When  enabled  the plug-in verification process will not fail on
              the absence of the private key. Having a private key to  present
              is  part of the proof of possession of the certificate chain its
              delegations,  therefore  a  fundamental   part   of   the   user
              credentials. Discarding the private key check is useful in cases
              where another process has already establish trust  in  the  user
              credentials  by  performing  the private key proof of possession
              steps.  Example: This feature  can  be  enabled  in  deployments
              where  gLExec  is  part  of  the  CREAM  CE.  The CREAM CE's SSL
              handshake is taking ensuring that fully verified credentials get
              passed  down.  Counter example: This feature is not-enabled on a
              gLExec-on-the-WN deployment, as gLExec will need to ensure  that
              the  pilot-job  payload  credentials  are  fully verified before
              account mapping should occur.

       --max-proxy-level-ttl=<level>      |      --max-proxy-level-ttl@<level>
              Set  a  maximum  to  the  allowed  validity  period of the proxy
              certificate  for  a  specific  delegation  <level>.  The   first
              delegation   after   an  EEC  certificate  is  <level>  0.  This
              delegation level could be used in a MyProxy. A  typical  setting
              would  be  14d-00:00  to  allow for a MyProxy certificate with a
              validity period of two weeks.

              A special <level> is indicated by an l or L. This  is  the  leaf
              proxy  or also known as the final delegation. A safe setting for
              this would be 1d-00:00 to allow  a  proxy  certificate  validity
              period of 1 day/24 hours.

              Set     the    <timeperiod>    in    the    following    format:
              [0-99]d-[0-23][00-59]. For example 2d-13:37.

       --max-voms-ttl <timeperiod>
              Set a maximum  to  the  allowed  validity  period  of  the  VOMS
              credentials  (when  present).  Using  VOMS  credentials  with  a
              validity period longer then the set timeperiod> will result in a

              This       setting       will      override      the      option
              --discard_private_key_absence and option to set the  environment
              variable     $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE     which
              performs the same behavior.

              When enable this option will bypass all verification  steps  and
              will only perform the lifetime checks configured by --max-proxy-
              level-ttl and/or --max-voms-ttl. This option is ideal to be used
              in a Globus Gatekeeper, GridFTPd and/or GSI-OpenSSHd deployment.

              Explicitly require the certificate chain to have a limited proxy
              as a final delegation. The plug-in will fail if the  certificate
              chain does not have a limited proxy.





       OCSP  is  not functional and will be added when either CAB/Forum or the
       IGTF publish a clear profile.

       Please report any errors to the Nikhef Grid  Middleware  Security  Team


       lcmaps.db(5), lcmaps(3).


       LCMAPS  and  the  LCMAPS  plug-ins  were written by the Grid Middleware
       Security Team <>.

                               October 31, 2012     LCMAPS_VERIFY_PROXY.MOD(8)