On 04/03/2013 07:26 AM, Ewoud Kohl van Wijngaarden wrote: > I think foreman and smartproxy will use the puppet certificate > infrastructure (as is default in the foreman installer), so that leaves > us with a few others. > > Pro for a wildcard is that it's easy. You can secure lots of services > with just one certificate. Con is that if one service is compromised and > the private key leaks, you need to replace the certificate on all > services. > > Given we want to set up everything and still starting up I'm favoring > ease thus a wildcard.
+1 - Karsten > > Regarding security I hope that we eventually can use DNSSEC + DANE so we > can use self-signed certificates (so without a CA), but also without the > downsides of nobody trusting it. That will require RH IT to support > DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believe > this will be the future of SSL certificates. See > http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities > > On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote: >> On 03/27/2013 03:46 PM, Alexander Rydekull wrote: >>> I vote wildcard if we're just gonna use it to protect our web. >> >> I admit to being a bit stupid here as to the differences. >> >> My contact at Red Hat IT (who will get for us what we need) indicated >> one-per-subdomain is considered more secure, but didn't have a problem >> ordering a wildcard for us. >> >> - Karsten >> >>> On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade >>> <[email protected]>wrote: >>> >>>> On 03/27/2013 02:44 PM, Mike Burns wrote: >>>>> On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote: >>>>>> We can get an SSL cert for each subdomain, or we can get a wildcard >>>>>> cert. My understanding is that it is more secure to use >>>>>> one-per-subdomain. >>>>>> >>>>>> Presuming we want the one-per model, what are the subdomains we need to >>>>>> get a cert for? >>>>>> >>>>>> gerrit.ovirt.org >>>>>> jenkins.ovirt.org >>>>>> resources.ovirt.org >>>>>> foreman.ovirt.org >>>>>> smartproxy.ovirt.org >>>>>> lists.ovirt.org >>>>>> >>>>> >>>>> etherpad? >>>>> what about base ovirt.org (the wiki)? >>>> >>>> +1 to both (www, etherpad). >>>> >>>> Basically, anything that has a login over HTTP. > _______________________________________________ > Infra mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/infra > -- Karsten 'quaid' Wade, Sr. Analyst - Community Growth http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
