[19430] in cryptography@c2.net mail archive
Re: browser vendors and CAs agreeing on high-assurance certificat
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Dec 27 16:59:22 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 24 Dec 2005 17:41:40 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Ian G <iang@systemics.com>
Cc: leichter_jerrold@emc.com, pgut001@cs.auckland.ac.nz,
cryptography@metzdowd.com, jamesd@echeque.com, smb@cs.columbia.edu
In-Reply-To: <43AD851E.6080106@systemics.com>
Ian G wrote:
> Ben Laurie wrote:
>> Ian G wrote:
> ...
>>> http://wiki.cacert.org/wiki/VhostTaskForce
>
>>> (The big problem of course is that you can use
>>> one cert to describe many domains only if they
>>> are the same administrative entity.)
>>
>>
>> If they share an IP address (which they must, otherwise there's no
>> problem), then they must share a webserver, which means they can share a
>> cert, surely?
>
> Certainly they *can* share a cert. But a cert
> speaks to identity - at the human level the cert
> is supposed to (by some readings) indicate who
> the site is purporting to be and in some scenarios,
> there are people who think the cert actually
> proves that the site is who it claims to be.
>
> So regardless of the technical details of the
> underlying software (complex, I grant), websites
> SHOULD NOT share a cert.
I don't see why not - the technical details actually matter. Since the
servers will all share a socket, on any normal architecture, they'll all
have access to everyone's private keys. So, what is gained by having
separate certs?
I do agree that the process by which the additional names get added to
the main cert needs to reflect ownership of the name, but that's a
different matter.
And I'm not claiming, btw, that this mechanism is better than the server
name extension. However, I don't believe its as broken as some are claiming.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
** ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ **
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
