From owner-freebsd-security@FreeBSD.ORG Tue May 16 08:55:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 799DB16A400 for ; Tue, 16 May 2006 08:55:02 +0000 (UTC) (envelope-from iang@iang.org) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4D2243D48 for ; Tue, 16 May 2006 08:55:01 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id B1A6A13DFE; Tue, 16 May 2006 10:55:03 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15430-02; Tue, 16 May 2006 10:55:02 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id 3CC3113DDD; Tue, 16 May 2006 10:55:02 +0200 (CEST) Received: from localhost (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id E489E17B504; Tue, 16 May 2006 10:54:57 +0200 (CEST) Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11644-09; Tue, 16 May 2006 10:54:53 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 438DD17B491; Tue, 16 May 2006 10:54:53 +0200 (CEST) Message-ID: <446992A7.6010807@iang.org> Date: Tue, 16 May 2006 10:51:51 +0200 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Clemens Renner , James O'Gorman References: <4469064F.50102@netinertia.co.uk> <44691982.3070400@rinux.net> In-Reply-To: <44691982.3070400@rinux.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam Cc: FreeBSD Security List Subject: Re: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 08:55:02 -0000 Hi all, Clemens Renner wrote: > Hi James, > > I would advise against using wildcard certificates. There certainly are > situations where this might be adequate but I'm in favor of a single > server certificate for each service that uses a different (virtual) > host. Thus, I have created several certificates for Apache SSL hosts > plus certificates for mail serving, etc. An alternative to wildcard certificates is the SAN or SubjectAltName method documented here: http://wiki.cacert.org/wiki/VhostTaskForce It seems to work, I've used it (note that the primary CN should be duplicated in the SAN list). >> PS - Once I've worked out how exactly I'm supposed to be doing this, >> I'll probably get some "officially" signed certs. I hear CACert are a >> good, free way of doing this. Anyone got any comments on that? ... > I'd say the same thing applies to > certificates signed by a CA that does not do a "real" verification of > the requesting person by which I mean that you probably don't need to go > somewhere and show some official ID to prove that you are in fact you. OK, just to clarify here - CAcert's system of verification includes (in general) checking of identity documents in a person-to-person process. Once people have been verified to their standard - they call it their assurance process - the assured user can issue certs with names in them, using a "class 3" root; before that, users can only issue unnamed certs using an anon "class 1" root. (Whether this works for you, all depends.) iang PS: I gather that the "class 3" and "class 1" convention comes from verisign.