[AG-TECH] Life of 'service' cert
Randy Groves
randy.groves at boeing.com
Fri Apr 16 14:43:52 CDT 2004
I realize that this isn't the appropriate use of a service cert. But
here's my problem. I'm setting up a node in a conference room where people
are used to logging in on the conference room machine with their own
ID. Until such time as I (or someone) can modify the certificate system in
such a way what it pays attention, for instance, to certificates already
installed in IE (for example), or in Exchange/Outlook, having to require
that all users have/acquire a certificate is an unworkable situation. So,
right now, it's either a service cert, or telling everybody the password to
the node.
I'm dealing, unfortunately at an executive level here, and impediments like
having to acquire a certificate can become another reason not to adopt the
technology.
The restrictions in the authorization policy only apply if you have set up
some rules for the particular venue, though - right? I haven't had any
problem in my initial tests in entering venues.
There is also the issue, which I believe is already do-able, but I haven't
amassed the spare cycles to test, of having this whole system run using our
own CA and our own certificates.
-randy
At 09:47 PM 4/15/2004, Ivan R. Judson wrote:
>Password less certificates don't use proxies, so proxy lifetime doesn't
>matter. However, certificate validity does (it's generally 12 months).
>
>As an aside, service certificates are not intended to be used by users as
>identity certificates, there may well be parts of the authorization policy
>that specifically exclude services from some operations (like Enter).
>
>--Ivan
>
> > -----Original Message-----
> > From: owner-ag-tech at mcs.anl.gov
> > [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Randy Groves
> > Sent: Thursday, April 15, 2004 9:47 PM
> > To: ag-tech at mcs.anl.gov
> > Subject: [AG-TECH] Life of 'service' cert
> >
> > If you use a 'service' cert (a host-type cert with no
> > password) for a venue client on a node - is there a lifetime
> > attached to the proxy? Or does it last forever?
> >
> > Same question on using these type of certs for a venue server.
> >
> > -randy
> >
> >
> >
More information about the ag-tech
mailing list