Re: RFC: Handling of certificates in Debian
On Mon, 02 Sep 2002, Stephen Frost wrote:
> * Henrique de Moraes Holschuh (email@example.com) wrote:
> > On Mon, 02 Sep 2002, Stephen Frost wrote:
> > > * Henrique de Moraes Holschuh (firstname.lastname@example.org) wrote:
> > > > On Sat, 31 Aug 2002, Brian May wrote:
> > > > > (note that I really like this realiance on checking the hostname, for
> > > > > instance it doesn't work properly with virtual name domains under https,
> > > > > but it somehow seems to have become the defacto default, and we seem to
> > > > > be stuck with it for now).
> > > >
> > > > It can, if the !@#$@#$ browsers implement the altName extension.
> > >
> > > Uh, except that on the server side if you're going to have different
> > > certs for different virtual servers then unless they each have their own
> > > IP there's no way for apache to know which cert to use because the SSL
> > > connection and whatnot is set up prior to the HTTP headers being sent.
> > > That's my understanding anyway.
> > That is why you have more than one name in the cert.
> I would think most places want their own cert and not to share with
> other, probably totally unrelated, people.
For that, you need a specification that allows you to send a number of certs
(instead of only one) and let the browser select the one that matches the
domain it wants, and verify that single one.
I am not sure the current specs allow for that. But one that does is
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot