There was an operation notice which required that the lifetime of a proxy
certficate and voms attribute issued by voms server should be limited to
maximum 24 hours.
This however has not been properly enforced. The recent security incident
has also highlighted this issue.

By design, proxy certificate is a short-term credentical as per RFC 3820 and
no revocation is supported. If a proxy certificate with long lifetime was
exposed/compromised, the correspondent classic End Entity Certificate (EEC)
must be revoked in order to contain the incident.

Grid middleware such as WMS has already been able to renew voms proxy
certificate for long time. The lifetime of a voms attribute is controlled by
the VOMS server and the lifetime is a configurable feature of voms server.
Thus, support and cooperation from VOs on this matter is required.

To proceed on this matter, a strategic decision from EGI on how to enforce
constraining proxy lifetime is required. This will then need to be
translated into a strategic requirement to

- all Technology Providers to prepare their delivered Middleware to support
proxy renewal and to fully support RFC3820 proxy certificate and,
- all VOs to constrain lifetime of voms attributes via their voms servers.

Please let me know if there is any problem.

Cheers,

Mingchao