browser vendors and CAs agreeing on high-assurance certificat es

Steven M. Bellovin smb at
Fri Jan 6 11:05:00 EST 2006

In message <43BE8ADC.6010409 at>, Ben Laurie writes:
>Bill Frantz wrote:
>> On 12/24/05, ben at (Ben Laurie) wrote:
>>> I don't see why not - the technical details actually matter. Since the
>>> servers will all share a socket, on any normal architecture, they'll all
>>> have access to everyone's private keys. So, what is gained by having
>>> separate certs?
>> I responded in private email:
>>> With a POLA architecture, perhaps on a capability OS (dream, dream),
>>> they might not share access to the private keys.  However, given current
>>> software, I grant your point.
>> Ben responded that I should post my comments to the list.
>> There are two scenarios I see as being viable for separating the private
>> keys with a security barrier.  One is the single machine case alluded to
>> above.  Here the private keys would be in separate security domains, and
>> the common part of the web server, which listens on the socket, would
>> read the initial data on the TCP connection, select the correct security
>> domain, and "pass" the connection to that domain. While the common part
>> could continue to examine all the data, those data would be encrypted,
>> so the it would have the same access as any other untrusted node in the
>> path.
>> The other scenario involves a network switch which performs the function
>> of the common code of the web server.  It uses network address
>> translation to forward the connection's packets to the back-end computer
>> with the correct private key.  Here the keys are protected by being kept
>> on separate computers.
>This would defeat the reason people share IP addresses, which is so they
>can share a single machine to reduce costs. Of course, a capability OS
>would permit this whilst separating keys, as you said.
It doesn't have to be a capability-based OS; one could easily envision 
a (ahem) alternate browser strategy accomplish it.  Consider, to pick a 
non-random example, Apache.  Apache 2.0.x (and I think 1.y, but I don't 
run it so I can't be sure) forks several child processes to actually 
serve the pages.  What if the <VirtualHost> directives contained an 
optional User directive that specified the uid each virtual host should 
run as?  You could have different processes for different virtual hosts.

Yes, that would require more bookkeeping on the part of Apache; it 
would also require more (perhaps many more) processes running 
simultaneously.  Both of those are much smaller changes than a 
capability-based OS.  (Hmm -- who was it who noted that capability-
based systems were the wave of the future, and always would be?)

A final note -- multiple IP addresses is not the same as multiple 
machines.  Lots of hosting companies dedicate an IP address to each 
customer, but put them all on a single machine.

		--Steven M. Bellovin,

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list