[AG-TECH] room node certificates

Michael Miller mimiller at ncsa.uiuc.edu
Mon Sep 29 11:56:43 CDT 2003


Allan,

I've got my AG cert and key on a 128MB usb pen drive.  I can just plug it 
in to any of our machines and create a proxy from it.  I also put all the 
installers needed for AG on it.   With a reasonably up to date machine, I 
can have an AG node within an hour or so...

Michael Miller
NCSA


At 11:00 AM 9/29/2003, Allan Spale wrote:
>Ivan,
>
> >From a node operator perspective, is it recommended for each node operator
>to have his/her own certificate in order to use the AG?  If so, how would
>you go about doing that?
>
>Thanks.
>
>
>Allan
>EVL at UIC
>Research Assistant
>
>On Mon, 29 Sep 2003, Ivan R. Judson wrote:
>
> >
> > Hi Frank,
> >
> > Yes there are. Here's our policy on signing certs:
> >
> > 1) CN's need to be a real person's name, not a node name, cryptic 
> string, or
> > the login that's part of the email
> > 2) We don't have service certs yet, so those shouldn't be in the CN
> > 3) We don't sign certs that come from users with unverifiable email
> > addresses (hotmail, yahoo, earthlink, etc) unless the recipient is 
> known out
> > of band of the request and can be vouched for.
> >
> > So, #2 is the point that you're making -- since we don't have service 
> certs;
> > the only valid tihng in a CN right now is a name, where name should be
> > "<first name> <optional middle initial or name> <last name>".
> >
> > We somehow have had certificates slip through that don't follow these
> > policies, but we'll be working on converting them to real identity
> > certificates. The logic behind this policy is pretty simple, identity certs
> > identify individuals, therefore should have an individuals name as the CN.
> >
> > --Ivan
> >
> > > -----Original Message-----
> > > From: owner-ag-tech at mcs.anl.gov
> > > [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Frank Sweetser
> > > Sent: Monday, September 29, 2003 10:08 AM
> > > To: ag-tech at mcs.anl.gov
> > > Subject: [AG-TECH] room node certificates
> > >
> > >
> > > I've noticed that a fair number of sites are appearing with
> > > certificates identifying the site, rather than the individual
> > > operator.  Are there any guidelines for requesting and using
> > > site certs (ie, for "WPI" rather than "Frank Sweetser")?
> > >
> > > --
> > > Frank Sweetser fs at wpi.edu
> > > WPI Network Engineer
> > >
> >

Thanx,

Michael Miller
System Engineer
Visualization Technology Support
Computing and Data Management
National Center for Supercomputing Applications
University of Illinois - UC
217-649-0747

"If you're clear in your vision and trust the people in your team with 
clear objectives, they will invariably do their best to achieve everything 
desired, and usually deliver everything you could have hoped for and even 
more." -Paul Debevec




More information about the ag-tech mailing list