[AG-TECH] room node certificates
Ivan R. Judson
judson at mcs.anl.gov
Mon Sep 29 10:18:10 CDT 2003
Hi Frank,
Yes there are. Here's our policy on signing certs:
1) CN's need to be a real person's name, not a node name, cryptic string, or
the login that's part of the email
2) We don't have service certs yet, so those shouldn't be in the CN
3) We don't sign certs that come from users with unverifiable email
addresses (hotmail, yahoo, earthlink, etc) unless the recipient is known out
of band of the request and can be vouched for.
So, #2 is the point that you're making -- since we don't have service certs;
the only valid tihng in a CN right now is a name, where name should be
"<first name> <optional middle initial or name> <last name>".
We somehow have had certificates slip through that don't follow these
policies, but we'll be working on converting them to real identity
certificates. The logic behind this policy is pretty simple, identity certs
identify individuals, therefore should have an individuals name as the CN.
--Ivan
> -----Original Message-----
> From: owner-ag-tech at mcs.anl.gov
> [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Frank Sweetser
> Sent: Monday, September 29, 2003 10:08 AM
> To: ag-tech at mcs.anl.gov
> Subject: [AG-TECH] room node certificates
>
>
> I've noticed that a fair number of sites are appearing with
> certificates identifying the site, rather than the individual
> operator. Are there any guidelines for requesting and using
> site certs (ie, for "WPI" rather than "Frank Sweetser")?
>
> --
> Frank Sweetser fs at wpi.edu
> WPI Network Engineer
>
More information about the ag-tech
mailing list