browser vendors and CAs agreeing on high-assurance certificat es

Ian G iang at systemics.com
Sat Dec 24 07:59:07 EST 2005


Ben Laurie wrote:
...
>>Hopefully over the next year, the webserver (Apache)
>>will be capable of doing the TLS extension for sharing
>>certs so then it will be reasonable to upgrade.
> 
> 
> In fact, I'm told (I'll dig up the reference) that there's an X509v3
> extension that allows you to specify alternate names in the certificate.
> I'm also told that pretty much every browser supports it.

The best info I know of on the subject is here:

http://wiki.cacert.org/wiki/VhostTaskForce

Philipp has a script which he claims automates
the best method(s) described within to create
the alt-names cert.

(The big problem of course is that you can use
one cert to describe many domains only if they
are the same administrative entity.)

What we really need is for the webservers to
implement the TLS extension which I think is
called "server name indication."

And we need SSL v2 to die so it doesn't interfere
with the above.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list