Legacy Issue Number: 2867
Clarification is needed on the passing of credentials.
Section 4.7.3 states that "Since all proxies will have access to the IOR of
the target object, and the certificate of the client, they can judge whether
this client may use a pass-through connection or not." Section 4.12 states
that "When a client establishes a normal connection to a target via a
trusted proxy and uses a secure transport (e.g. IIOP/SSL), in order to
achieve end-to-end authentication, the proxy will have to forward the
client"s certificate/identity to the server." Section 4.12 implies that the
ForwardedIdentity service context will only be used when using a secure
transport, but section 4.7.3 implies that the client certificate will always
be available. In fact, the ForwardedIdentity service context should only be
used in the case of a NORMAL connection using a secure transport because
those are the only conditions under which there is a notion of trust between
a requestor and the recipient of that request. This means that the only
mechanism upon which to base a decision of whether or not to allow a
PASSTHRU connection is the source host address/port.
Reported: CORBA 2.3.1 — Tue, 24 Aug 1999 04:00 GMT
Disposition: Deferred — CORBA 3.4
This proposal was generated automatically by request of the Task Force Chair Adam Mitz.
Updated: Wed, 1 Feb 2023 21:59 GMT