From owner-freebsd-security@FreeBSD.ORG Tue May 16 00:15:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 356A916AF5B for ; Tue, 16 May 2006 00:15:26 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F54B43D81 for ; Tue, 16 May 2006 00:15:04 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id DD7713530B4; Tue, 16 May 2006 02:15:02 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6sk0afHUi+B; Tue, 16 May 2006 02:14:58 +0200 (CEST) Received: from [10.0.0.3] (i5387958D.versanet.de [83.135.149.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id BAF7F353054; Tue, 16 May 2006 02:14:58 +0200 (CEST) Message-ID: <44691982.3070400@rinux.net> Date: Tue, 16 May 2006 02:14:58 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: James O'Gorman References: <4469064F.50102@netinertia.co.uk> In-Reply-To: <4469064F.50102@netinertia.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Security List Subject: Re: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 00:15:26 -0000 Hi James, I would advise against using wildcard certificates. There certainly are situations where this might be adequate but I'm in favor of a single server certificate for each service that uses a different (virtual) host. Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc. One point might be: If someone manages to set up a host in the namespace of the wildcard certificate and presents the cert once the host is accessed, it looks like you have accredited that specific host since you probably signed that wildcard cert. Whether you use single certs for pop.netinertia.co.uk, imap.netinertia.co.uk etc. or one generic name for all services related to your mail -- that's a matter of taste, I guess. In any case, I wouldn't stick with wildcards. > PS - Once I've worked out how exactly I'm supposed to be doing this, > I'll probably get some "officially" signed certs. I hear CACert are a > good, free way of doing this. Anyone got any comments on that? The problem with self-signed certs is just that they usually aren't trustworthy, as you may have noticed. I'd say the same thing applies to certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you. The problem with fraud is mis-placed trust. And people (read: those who decide which CA certs to include in a product by default) tend to put stronger trust in something that requires money for someone to vouch for you. On the other hand, I haven't had any bad experience with the following approach: I created my own CA and have used it to sign my certs. I've instructed all of my users how to import and trust that CA cert and we're done. You only need to do this once to get any cert signed by that CA accepted from that point on. Clemens