[AG-TECH] Life of 'service' cert

Randy Groves randy.groves at boeing.com
Fri Apr 16 14:43:52 CDT 2004 

I realize that this isn't the appropriate use of a service cert.  But 
here's my problem.  I'm setting up a node in a conference room where people 
are used to logging in on the conference room machine with their own 
ID.  Until such time as I (or someone) can modify the certificate system in 
such a way what it pays attention, for instance, to certificates already 
installed in IE (for example), or in Exchange/Outlook, having to require 
that all users have/acquire a certificate is an unworkable situation.  So, 
right now, it's either a service cert, or telling everybody the password to 
the node.

I'm dealing, unfortunately at an executive level here, and impediments like 
having to acquire a certificate can become another reason not to adopt the 
technology.

The restrictions in the authorization policy only apply if you have set up 
some rules for the particular venue, though - right?    I haven't had any 
problem in my initial tests in entering venues.

There is also the issue, which I believe is already do-able, but I haven't 
amassed the spare cycles to test, of having this whole system run using our 
own CA and our own certificates.

-randy

At 09:47 PM 4/15/2004, Ivan R. Judson wrote:

>Password less certificates don't use proxies, so proxy lifetime doesn't
>matter. However, certificate validity does (it's generally 12 months).
>
>As an aside, service certificates are not intended to be used by users as
>identity certificates, there may well be parts of the authorization policy
>that specifically exclude services from some operations (like Enter).
>
>--Ivan
>
> > -----Original Message-----
> > From: owner-ag-tech at mcs.anl.gov
> > [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Randy Groves
> > Sent: Thursday, April 15, 2004 9:47 PM
> > To: ag-tech at mcs.anl.gov
> > Subject: [AG-TECH] Life of 'service' cert
> >
> > If you use a 'service' cert (a host-type cert with no
> > password) for a venue client on a node - is there a lifetime
> > attached to the proxy?  Or does it last forever?
> >
> > Same question on using these type of certs for a venue server.
> >
> > -randy
> >
> >
> >

More information about the ag-tech mailing list