recasting untrusted certs to public poses accessibility inconsistency to users
KNB recasts a connection with an untrusted certificate to public, so that a client does not get "less than public" privileges.
GMN throws an InvalidToken in this situation.
both refuse connections from clients with expired certificates from trusted CAs.
This approach can cause confusion caused when the user unwittingly uses an untrusted certficate and doesn't get what they expected. If these connections were instead refused, the user would be alerted and could reconnect as a public user, if it chose.
brief discussion found at line 97 of : http://epad.dataone.org/20120131-authn-authz-questions
- when would honest users be in this situation?
- elicit advantages of recasting approach
- either way, dataone should implement uniform behavior across CN and MNs.