On 11/30/11 21:11, Adam Back wrote:
> Its rather common for people with load balancers and lots of servers serving
> the same domain to have multiple certs.
I did a survey how common those load-balancing 'CDN services' are ('CDN service'
defined as 'hostname that sent cert A, then B, then A again'). See
https://mail1.eff.org/pipermail/observatory/2011-November/000484.html
> I installed cert patrol and the popups about this are frequent. Any
> solution that hopes for easy interim deployment needs to work with this.
Yes. Generally the result from above survey is that certpatrol's popup saying
'CA changed' is rather rare, and serves as a good indicator when user should be
aware that something may be amiss (i.e. low false-positive rate).
There's also bunch of services (server clouds) that issue new certs every 2-3
days. I'll try to post results in a day.
Ondrej
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
