[AG-TECH] Using service certificates for Nodes
Victor Babson
vbabson at secsg.uga.edu
Thu Aug 4 22:57:57 CDT 2005
Rhys,
This is true. Either certificate has this "vulnerability", but with the
scenario you were explaining, I made an assumption (as I have never used the
service certificate), and I was trying to interpret what you wrote...
If a service certificate doesn't need a pass phrase and it is always running
(this is the impression I got from your email), this means anyone could
connect to your feeds. With an identity cert, you set the length (in hours)
the proxy should be valid. So, in x hours (after my meeting is over) I know
my feeds are not available. (I'm not sure if this is similar to the service
cert as I have not used them). So to keep our site secure I require our
users to start the video and audio servers with a predetermined time limit
on the proxy.
Sorry if I caused any confusion as I should have better explained what I was
trying to say.
--Vic
-----Original Message-----
From: Rhys Hawkins [mailto:Rhys.Hawkins at anu.edu.au]
Sent: Thursday, August 04, 2005 11:00 PM
To: vbabson at secsg.uga.edu
Cc: ag-tech at mcs.anl.gov
Subject: Re: [AG-TECH] Using service certificates for Nodes
Hi Vic,
I just did a test where I started up the service manager on our video
machine with the service certificate and from my desktop node using my
personal certificate, I was able to add the video machine as a service
manager in the node management and add producers etc. So in theory
anybody can do this which is clearly not a good thing.
So I put the identity certificate (different to the one on my desktop
node) back on the video machine, and I can still add the video machine
as a service manager to my desktop node and add VideoProducer services!
Again in theory, anybody could do this or have I got something wrong?
Cheers,
Rhys
On Thu, 2005-08-04 at 22:20 -0400, Victor M. Babson, Jr. wrote:
> IMHO,
>
> The only drawback is one could connect to your audio/video servers from
> unintended computers beit local or otherwise. Of course, they would need
> your IP's, but if someone knows, they could eavesdrop.
>
> --Vic
>
More information about the ag-tech
mailing list