SSL CA signed certficates
- From: "ttm" <ttm@xxxxxxxxx>
- Date: 11 Sep 2006 05:30:50 -0700
Hi,
My first post to this group, pls bear with me. I'm working with Java
and various network services, some of which are secured with SSL, both
with self-signed and CA signed certificates.
It surprises me that SSL certificates signed by CAs are (fully
qualified) hostname based and not wildcard based, i.e. when I request a
signed certficate I have to state the full name. If I need to secure
another host, I have to generate a new request and have that hostname
signed for as well. This can't be other than a commercially driven
procedure. Surely, if Verisign authenticates company ACNE Inc. and sign
a certificate for foo.acne.com, then what it really /could/ do is sign
*.acne.com and this certificate should be accepted by all clients that
trust Verisign. I guess all SSL APIs are programmed to perform a pure
equality check between DNS name and the certificate's common name, but
what it /should/ do is compare the top-domain/sub-domain (acne.com)
part of the domain name and compare it to the certificate's common name
(which should be acne.com and not having to be foo.acne.com,
bar.acne.com etc).
Why isn't it so? Is it purely commercial, or does it provide any
stronger security this hostname driven signing model?
Any input would be much appreciated.
--
Thomas
.
- Follow-Ups:
- Re: SSL CA signed certficates
- From: Juha Laiho
- Re: SSL CA signed certficates
- Prev by Date: Re: VLAN on Cisco Catalyst
- Next by Date: Re: Backup secure enough?
- Previous by thread: VLAN on Cisco Catalyst
- Next by thread: Re: SSL CA signed certficates
- Index(es):
Relevant Pages
|
