[AG-TECH] Using service certificates for Nodes

Victor Babson vbabson at secsg.uga.edu
Thu Aug 4 22:57:57 CDT 2005 

Rhys,

This is true.  Either certificate has this "vulnerability", but with the
scenario you were explaining, I made an assumption (as I have never used the
service certificate), and I was trying to interpret what you wrote...

If a service certificate doesn't need a pass phrase and it is always running
(this is the impression I got from your email), this means anyone could
connect to your feeds.  With an identity cert, you set the length (in hours)
the proxy should be valid.  So, in x hours (after my meeting is over) I know
my feeds are not available.  (I'm not sure if this is similar to the service
cert as I have not used them).  So to keep our site secure I require our
users to start the video and audio servers with a predetermined time limit
on the proxy.

Sorry if I caused any confusion as I should have better explained what I was
trying to say.

--Vic


-----Original Message-----
From: Rhys Hawkins [mailto:Rhys.Hawkins at anu.edu.au] 
Sent: Thursday, August 04, 2005 11:00 PM
To: vbabson at secsg.uga.edu
Cc: ag-tech at mcs.anl.gov
Subject: Re: [AG-TECH] Using service certificates for Nodes


Hi Vic,

I just did a test where I started up the service manager on our video
machine with the service certificate and from my desktop node using my
personal certificate, I was able to add the video machine as a service
manager in the node management and add producers etc. So in theory
anybody can do this which is clearly not a good thing.

So I put the identity certificate (different to the one on my desktop 
node) back on the video machine, and I can still add the video machine
as a service manager to my desktop node and add VideoProducer services!
Again in theory, anybody could do this or have I got something wrong?

Cheers,
    Rhys

On Thu, 2005-08-04 at 22:20 -0400, Victor M. Babson, Jr. wrote:
> IMHO,
> 
> The only drawback is one could connect to your audio/video servers from
> unintended computers beit local or otherwise.  Of course, they would need
> your IP's, but if someone knows, they could eavesdrop.
> 
> --Vic
>

More information about the ag-tech mailing list