Ian G wrote:
> Ben Laurie wrote:
> ...
>>> Hopefully over the next year, the webserver (Apache)
>>> will be capable of doing the TLS extension for sharing
>>> certs so then it will be reasonable to upgrade.
>> In fact, I'm told (I'll dig up the reference) that there's an X509v3
>> extension that allows you to specify alternate names in the certificate.
>> I'm also told that pretty much every browser supports it.
> The best info I know of on the subject is here:
> http://wiki.cacert.org/wiki/VhostTaskForce
> Philipp has a script which he claims automates
> the best method(s) described within to create
> the alt-names cert.
> (The big problem of course is that you can use
> one cert to describe many domains only if they
> are the same administrative entity.)

If they share an IP address (which they must, otherwise there's no
problem), then they must share a webserver, which means they can share a
cert, surely?

> What we really need is for the webservers to
> implement the TLS extension which I think is
> called "server name indication."
> And we need SSL v2 to die so it doesn't interfere
> with the above.

Actually, you just disable it in the server. I don't see why we need
anything more than that.



http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
**  ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ **
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to