[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: [cobalt-developers] SSL Sharing

Subject: re: [cobalt-developers] SSL Sharing
From: Mark Crispin <MRC@xxxxxxxxx>
Date: Sun Apr 16 15:22:11 2000

On Sun, 16 Apr 2000 15:21:11 -0400, hostmaster@xxxxxxxxxxxxxxxxx wrote:
> Does anyone know how to share a single SSL certificate among the domains
> hosted on a RAQ3i?

The short answer is that you can't.  Each domain must have its own
certificate.  If you're offering secure webhosting, this is a charge that
you'll probably want to pass on to your customer.

The reason for this restriction -- an SSL restriction not a Cobalt one -- is
that otherwise, a bad guy could set up a fake microsoft.com offering the
certificate for his legitimate blurdybloop.com.

Actually, it's worse.  Microsoft requires that each logical host must have its
own certificate.  In other words, if you have foo.blurdybloop.com and
bar.blurdybloop.com, they must each have their own certificate.

You can buy a wildcard (*.blurdybloop.com) certificate from Thawte, but
Microsoft won't accept these as valid because it means that an insider can set
up an unauthorized server that way.  We're working on convincing Microsoft
that wildcard certificates should be accepted in spite of this; that the need
for wildcard certificates (University of Washington has 80,000 virtual
subdomains for its IMAP service!) outweighs the modest risk.  However, the
hotfix and/or service pack for this hasn't come out yet.

Follow-Ups:
- RE: [cobalt-developers] SSL Sharing
  - From: Tony

References:
- [cobalt-developers] SSL Sharing
  - From: hostmaster

Prev by Date: [cobalt-developers] SSL Sharing
Next by Date: Re: [cobalt-developers] SSL Sharing
Previous by thread: [cobalt-developers] SSL Sharing
Next by thread: RE: [cobalt-developers] SSL Sharing

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index