[AG-TECH] room node certificates
Allan Spale
aspale at evl.uic.edu
Mon Sep 29 11:00:07 CDT 2003
Ivan,
>From a node operator perspective, is it recommended for each node operator
to have his/her own certificate in order to use the AG? If so, how would
you go about doing that?
Thanks.
Allan
EVL at UIC
Research Assistant
On Mon, 29 Sep 2003, Ivan R. Judson wrote:
>
> Hi Frank,
>
> Yes there are. Here's our policy on signing certs:
>
> 1) CN's need to be a real person's name, not a node name, cryptic string, or
> the login that's part of the email
> 2) We don't have service certs yet, so those shouldn't be in the CN
> 3) We don't sign certs that come from users with unverifiable email
> addresses (hotmail, yahoo, earthlink, etc) unless the recipient is known out
> of band of the request and can be vouched for.
>
> So, #2 is the point that you're making -- since we don't have service certs;
> the only valid tihng in a CN right now is a name, where name should be
> "<first name> <optional middle initial or name> <last name>".
>
> We somehow have had certificates slip through that don't follow these
> policies, but we'll be working on converting them to real identity
> certificates. The logic behind this policy is pretty simple, identity certs
> identify individuals, therefore should have an individuals name as the CN.
>
> --Ivan
>
> > -----Original Message-----
> > From: owner-ag-tech at mcs.anl.gov
> > [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Frank Sweetser
> > Sent: Monday, September 29, 2003 10:08 AM
> > To: ag-tech at mcs.anl.gov
> > Subject: [AG-TECH] room node certificates
> >
> >
> > I've noticed that a fair number of sites are appearing with
> > certificates identifying the site, rather than the individual
> > operator. Are there any guidelines for requesting and using
> > site certs (ie, for "WPI" rather than "Frank Sweetser")?
> >
> > --
> > Frank Sweetser fs at wpi.edu
> > WPI Network Engineer
> >
>
More information about the ag-tech
mailing list