[AG-TECH] room node certificates
Ivan R. Judson
judson at mcs.anl.gov
Mon Sep 29 12:05:24 CDT 2003
An hour! Man we gotta fix that.
--ivan
> -----Original Message-----
> From: owner-ag-tech at mcs.anl.gov
> [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Michael Miller
> Sent: Monday, September 29, 2003 11:57 AM
> To: Allan Spale
> Cc: 'Frank Sweetser'; ag-tech at mcs.anl.gov
> Subject: RE: [AG-TECH] room node certificates
>
>
> Allan,
>
> I've got my AG cert and key on a 128MB usb pen drive. I can
> just plug it
> in to any of our machines and create a proxy from it. I also
> put all the
> installers needed for AG on it. With a reasonably up to
> date machine, I
> can have an AG node within an hour or so...
>
> Michael Miller
> NCSA
>
>
> At 11:00 AM 9/29/2003, Allan Spale wrote:
> >Ivan,
> >
> > >From a node operator perspective, is it recommended for each node
> > >operator
> >to have his/her own certificate in order to use the AG? If so, how
> >would you go about doing that?
> >
> >Thanks.
> >
> >
> >Allan
> >EVL at UIC
> >Research Assistant
> >
> >On Mon, 29 Sep 2003, Ivan R. Judson wrote:
> >
> > >
> > > Hi Frank,
> > >
> > > Yes there are. Here's our policy on signing certs:
> > >
> > > 1) CN's need to be a real person's name, not a node name, cryptic
> > string, or
> > > the login that's part of the email
> > > 2) We don't have service certs yet, so those shouldn't be
> in the CN
> > > 3) We don't sign certs that come from users with
> unverifiable email
> > > addresses (hotmail, yahoo, earthlink, etc) unless the recipient is
> > known out
> > > of band of the request and can be vouched for.
> > >
> > > So, #2 is the point that you're making -- since we don't have
> > > service
> > certs;
> > > the only valid tihng in a CN right now is a name, where
> name should
> > > be "<first name> <optional middle initial or name> <last name>".
> > >
> > > We somehow have had certificates slip through that don't follow
> > > these policies, but we'll be working on converting them to real
> > > identity certificates. The logic behind this policy is pretty
> > > simple, identity certs identify individuals, therefore
> should have
> > > an individuals name as the CN.
> > >
> > > --Ivan
> > >
> > > > -----Original Message-----
> > > > From: owner-ag-tech at mcs.anl.gov
> [mailto:owner-ag-tech at mcs.anl.gov]
> > > > On Behalf Of Frank Sweetser
> > > > Sent: Monday, September 29, 2003 10:08 AM
> > > > To: ag-tech at mcs.anl.gov
> > > > Subject: [AG-TECH] room node certificates
> > > >
> > > >
> > > > I've noticed that a fair number of sites are appearing with
> > > > certificates identifying the site, rather than the individual
> > > > operator. Are there any guidelines for requesting and
> using site
> > > > certs (ie, for "WPI" rather than "Frank Sweetser")?
> > > >
> > > > --
> > > > Frank Sweetser fs at wpi.edu
> > > > WPI Network Engineer
> > > >
> > >
>
> Thanx,
>
> Michael Miller
> System Engineer
> Visualization Technology Support
> Computing and Data Management
> National Center for Supercomputing Applications
> University of Illinois - UC
> 217-649-0747
>
> "If you're clear in your vision and trust the people in your
> team with
> clear objectives, they will invariably do their best to
> achieve everything
> desired, and usually deliver everything you could have hoped
> for and even
> more." -Paul Debevec
>
More information about the ag-tech
mailing list