browser vendors and CAs agreeing on high-assurance certificat es

[Ben Laurie]

Ian G wrote:
> Ben Laurie wrote:
> ...
>>> Hopefully over the next year, the webserver (Apache)
>>> will be capable of doing the TLS extension for sharing
>>> certs so then it will be reasonable to upgrade.
>>
>>
>> In fact, I'm told (I'll dig up the reference) that there's an X509v3
>> extension that allows you to specify alternate names in the certificate.
>> I'm also told that pretty much every browser supports it.
> 
> The best info I know of on the subject is here:
> 
> http://wiki.cacert.org/wiki/VhostTaskForce
> 
> Philipp has a script which he claims automates
> the best method(s) described within to create
> the alt-names cert.
> 
> (The big problem of course is that you can use
> one cert to describe many domains only if they
> are the same administrative entity.)

If they share an IP address (which they must, otherwise there's no
problem), then they must share a webserver, which means they can share a
cert, surely?

> What we really need is for the webservers to
> implement the TLS extension which I think is
> called "server name indication."
> 
> And we need SSL v2 to die so it doesn't interfere
> with the above.

Actually, you just disable it in the server. I don't see why we need
anything more than that.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
**  ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ **
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com