[AG-TECH] room node certificates
Frank Sweetser
fs at WPI.EDU
Mon Sep 29 10:26:42 CDT 2003
On Mon, Sep 29, 2003 at 10:18:10AM -0500, Ivan R. Judson wrote:
>
> Hi Frank,
>
> Yes there are. Here's our policy on signing certs:
>
> 1) CN's need to be a real person's name, not a node name, cryptic string, or
> the login that's part of the email
> 2) We don't have service certs yet, so those shouldn't be in the CN
> 3) We don't sign certs that come from users with unverifiable email
> addresses (hotmail, yahoo, earthlink, etc) unless the recipient is known out
> of band of the request and can be vouched for.
>
> So, #2 is the point that you're making -- since we don't have service certs;
> the only valid tihng in a CN right now is a name, where name should be
> "<first name> <optional middle initial or name> <last name>".
Ah - so, let me see if I have this right.
For a typical room node, the room based services (cameras, display, audio)
would be started up with AGServiceManager and AGNodeService pointed at a
non-signed certificate that identifies itself as the room facility (ie, "WPI
Access Grid Node"). The Venue Client would then be started up without
--personalNode with the signed user cert and attach to the node, with the
profile optionally edited to also identify itself as the room facility with a
role of node instead of user. This way, everything identifies itself as a
part of the room node rather than the individual, but with the certificate,
the operater can still be identified.
Correct?
--
Frank Sweetser fs at wpi.edu
WPI Network Engineer
More information about the ag-tech
mailing list