I'm a big fan of Occam's Razor, to the point of boring my colleagues. To
manage multiple certs means that you have to ensure that all these
certificates are not about to expire. I logged onto Yahoo mail recently and
their security certificate had expired the previous day! You'll need to go
through a renewal procedure with every one. If you work for an organisation
that has to raise a cheque for each one, it is very time consuming. You have
to ensure that you leave enough time for the certificate to be renewed.
You'll also need to keep backups of each private key, protect them and
remember which key belongs to which server (which of course you can do with
sensible filenames). This IMHO is multiplying plurality without neccesity.
However, there is a much bigger issue with the encryption level of older
browsers anyway. I now use 128bit encryption at home and at work with IE.
40bit encryption can be easily cracked. Allowing those users to connect via
SSL may lull them into a false sense of security.
Very soon, everyone will be using browsers that give 128bit security
(Netscape 4.72 onwards already does. IE can be easily upgraded). These same
browsers do not have an issue with wildcard certificates.
John
-----Original Message-----
From: James Treworgy [mailto:[EMAIL PROTECTED]]
Sent: 20 May 2000 00:09
To: [EMAIL PROTECTED]
Subject: RE: VeriSign keys.
On the other hand, if you have a need to authenticate many SSL sites within
your top level domain, it's probably because you need to distribute
load. How I would love to be in a position of needing to spend an extra
$100 for another cert because my primary server was maxed out.
Seems like not a lot of money to spend considering the reasons why you
probably need those extra certs... if even 1% of the potential customers
out there get a box popping up because of that wildcard cert I would want
nothing to do with it.
Jamie
At 10:45 AM 5/19/00 +0100, Airey, John wrote:
>Look at it this way, if you have more than 5 SSL sites, you would be best
>advised to use a wildcard. Unless of course you have money to burn and love
>to spend ages sorting out individual certificates and keys.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
