@msalle, @andrei asked me about the policy conformity of sending a private key over HTTPS when using rcauth. Is there some documentation about this, confirming that it’s fine sending a private key over HTTPS? I understood that in the past it’s something that was seen as problematic.
Hi @baptiste @andrei, For proxies there isn’t really much policy. For end-entity-cert private keys, see IGTF Private Key protection guidelines. Note that in the case of RCauth, the MasterPortal does a full ‘delegation’ with the RCauth CA (which means no private key over the line), while towards the VO Portals a complete but short-lived proxy is returned without a delegation step, so including private key. Both are done of HTTPS, where the client is authenticating using its OIDC client credentials (i.e. effectively mutually authenticated).