[AG-TECH] Life of 'service' cert
Ivan R. Judson
judson at mcs.anl.gov
Fri Apr 16 15:34:07 CDT 2004
> I realize that this isn't the appropriate use of a service
> cert. But here's my problem. I'm setting up a node in a
> conference room where people are used to logging in on the
> conference room machine with their own ID. Until such time
> as I (or someone) can modify the certificate system in such a
> way what it pays attention, for instance, to certificates
> already installed in IE (for example), or in
> Exchange/Outlook, having to require that all users
> have/acquire a certificate is an unworkable situation. So,
> right now, it's either a service cert, or telling everybody
> the password to the node.
Right, that's why I didn't want to say "don't do it", just give a heads up.
We know the current situation is difficult in cases like yours, so we're
working on fixing that.
> I'm dealing, unfortunately at an executive level here, and
> impediments like having to acquire a certificate can become
> another reason not to adopt the technology.
> The restrictions in the authorization policy only apply if
> you have set up
> some rules for the particular venue, though - right? I
> haven't had any
> problem in my initial tests in entering venues.
Right, *if* we get things easier, those rules will be configured by default
in the next release. We're being very conservative in our priorities so that
we enable more usability with each new release, meanwhile introducing much
needed functionality :-)
> There is also the issue, which I believe is already do-able,
> but I haven't amassed the spare cycles to test, of having
> this whole system run using our own CA and our own certificates.
> At 09:47 PM 4/15/2004, Ivan R. Judson wrote:
> >Password less certificates don't use proxies, so proxy
> lifetime doesn't
> >matter. However, certificate validity does (it's generally
> 12 months).
> >As an aside, service certificates are not intended to be
> used by users
> >as identity certificates, there may well be parts of the
> >policy that specifically exclude services from some
> operations (like Enter).
> > > -----Original Message-----
> > > From: owner-ag-tech at mcs.anl.gov
> > > [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of Randy Groves
> > > Sent: Thursday, April 15, 2004 9:47 PM
> > > To: ag-tech at mcs.anl.gov
> > > Subject: [AG-TECH] Life of 'service' cert
> > >
> > > If you use a 'service' cert (a host-type cert with no
> > > password) for a venue client on a node - is there a lifetime
> > > attached to the proxy? Or does it last forever?
> > >
> > > Same question on using these type of certs for a venue server.
> > >
> > > -randy
> > >
> > >
> > >
More information about the ag-tech