A better approach to security

[Philipp Gühring <pg AT futureware.at>]

Hi,

Does CAcert handle several Names in one certificate correctly?

----------  Weitergeleitete Nachricht  ----------

Subject: Re: RFC 2818 Question
Date: Montag, 30. August 2004 03:31
From: Eric Rescorla <ekr AT rtfm.com>
To: pg AT futureware.at

Philipp G�hring <pg AT futureware.at> wrote:
> Hi Eric,
>
> I would like to know your position regarding Multiple SSL/TLS Vhosts on the
> same machine with the same IP Adress. (Name-based).
>
> In RFC 2818 you have written:
>
>    Matching is performed using the matching rules specified by
>    [RFC2459].  If more than one identity of a given type is present in
>    the certificate (e.g., more than one dNSName name, a match in any one
>    of the set is considered acceptable.) Names may contain the wildcard
>    character * which is considered to match any single domain name
>    component or component fragment. E.g., *.a.com matches foo.a.com but
>    not bar.foo.a.com. f*.com matches foo.com but not bar.com.
>
> I would interpret it as if the solution for the problem is to have several
> identities (dNSName lines) in one certificate for the different DNS Names,
> and that the Browser has to accept any of them:
>
> dNSName: www.customer1.at
> dNSName: www.customer2.com
> dNSName: www.customer3.de
>
> Is that a correct interpretation?

That's certainly one possibility, and it's the only one that will
work with Name Based Virtual Hosts without the domain name extension
(not yet widely deployed)

> Do you consider several Vhosts on the same machine is bad?

No.

> Do you demand that someone should better use different IP addresses,
> and have IP-based Vhosts instead?

Well, it's the only alternative if you can't get a cert with all the
names in it--and I hear rumors that that does not necessarily work
100% of the time...

-Ekr

-------------------------------------------------------