[AG-TECH] room node certificates
Ivan R. Judson
judson at mcs.anl.gov
Mon Sep 29 11:22:31 CDT 2003
Yes, each individual who uses the AG should have their own certificate, the
certificate request tools in the new software make this simple.
> -----Original Message-----
> From: Allan Spale [mailto:aspale at evl.uic.edu]
> Sent: Monday, September 29, 2003 11:00 AM
> To: Ivan R. Judson
> Cc: 'Frank Sweetser'; ag-tech at mcs.anl.gov
> Subject: RE: [AG-TECH] room node certificates
>
>
> Ivan,
>
> From a node operator perspective, is it recommended for each
> node operator to have his/her own certificate in order to use
> the AG? If so, how would you go about doing that?
>
> Thanks.
>
>
> Allan
> EVL at UIC
> Research Assistant
>
> On Mon, 29 Sep 2003, Ivan R. Judson wrote:
>
> >
> > Hi Frank,
> >
> > Yes there are. Here's our policy on signing certs:
> >
> > 1) CN's need to be a real person's name, not a node name, cryptic
> > string, or the login that's part of the email
> > 2) We don't have service certs yet, so those shouldn't be in the CN
> > 3) We don't sign certs that come from users with unverifiable email
> > addresses (hotmail, yahoo, earthlink, etc) unless the recipient is
> > known out of band of the request and can be vouched for.
> >
> > So, #2 is the point that you're making -- since we don't
> have service
> > certs; the only valid tihng in a CN right now is a name, where name
> > should be "<first name> <optional middle initial or name> <last
> > name>".
> >
> > We somehow have had certificates slip through that don't
> follow these
> > policies, but we'll be working on converting them to real identity
> > certificates. The logic behind this policy is pretty
> simple, identity
> > certs identify individuals, therefore should have an
> individuals name
> > as the CN.
> >
> > --Ivan
> >
> > > -----Original Message-----
> > > From: owner-ag-tech at mcs.anl.gov
> > > [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Frank Sweetser
> > > Sent: Monday, September 29, 2003 10:08 AM
> > > To: ag-tech at mcs.anl.gov
> > > Subject: [AG-TECH] room node certificates
> > >
> > >
> > > I've noticed that a fair number of sites are appearing with
> > > certificates identifying the site, rather than the individual
> > > operator. Are there any guidelines for requesting and using
> > > site certs (ie, for "WPI" rather than "Frank Sweetser")?
> > >
> > > --
> > > Frank Sweetser fs at wpi.edu
> > > WPI Network Engineer
> > >
> >
>
More information about the ag-tech
mailing list