Ben Laurie wrote:
Ian G wrote:

(The big problem of course is that you can use
one cert to describe many domains only if they
are the same administrative entity.)

If they share an IP address (which they must, otherwise there's no
problem), then they must share a webserver, which means they can share a
cert, surely?

Certainly they *can* share a cert.  But a cert
speaks to identity - at the human level the cert
is supposed to (by some readings) indicate who
the site is purporting to be and in some scenarios,
there are people who think the cert actually
proves that the site is who it claims to be.

So regardless of the technical details of the
underlying software (complex, I grant), websites
SHOULD NOT share a cert.

(by capitals I mean the RFC sense, not the shouting

What we really need is for the webservers to
implement the TLS extension which I think is
called "server name indication."

And we need SSL v2 to die so it doesn't interfere
with the above.

Actually, you just disable it in the server. I don't see why we need
anything more than that.

If browsers don't know what is available on the
server, they send a Hello message that asks for
what protocol versions and ciphersuites to use.
This is the SSL v2 message, just in case.... so
to rectify this situation we need to get all
the browsers distro'd with SSL v2 turned off by
default.  The shorthand for this is "SSL v2 must
die..."  Thankfully, they did decide to do just
that at last month's browser pow-wow.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to