[Mageia-sysadm] SSL certificate
Michael Scherer
misc at zarb.org
Wed Feb 9 16:58:35 CET 2011
Le mercredi 09 février 2011 à 15:36 +0100, Romain d'Alverny a écrit :
> On Wed, Feb 9, 2011 at 15:22, Michael Scherer <misc at zarb.org> wrote:
> > Another issue we had with rapidssl was for foo.barr.domain when the
> > certificate was *.domain. That's something we need to check and to test
> > for sure.
>
> AFAIK, that is the case for all wildcards that only work on a single
> subdomain level, no?
Given the price of a wildcard cert, we didn't check others providers
when we faced the issue at my work. But that's something to look for
IMHO.
Ie, be sure to keep only single level url.
> >> For other solutions, Cacert is not an option so far.
> >
> > Why ? Wobo and Pascal are both assurers, IIRC, as is rapsys.
>
> For the single reason it is not recognized by Firefox:
> * https://bugzilla.mozilla.org/show_bug.cgi?id=215243
> * http://wiki.cacert.org/InclusionStatus
>
> Or my understanding of the issue at stake is wrong?
I may be wrong, but can't we have more than one certificate, ie, to have
the website certified by gandi and by cacert ?
I have asked the details on some irc channel, but it was not clear about
what we can achieve in this regard.
This way, we have a certificate that work in cacert, and we also benefit
from the reputation of using something less commercial ( not that I
think gandi does a bad job, and also i do not say because I know the guy
there, but the whole centralisation around x509 is bad, so we should try
to find a better if this is not detrimental ).
Another possible complementary approach would be to look at the monkey
sphere project ( http://web.monkeysphere.info/why/ ) ( at least for the
openssh part ), but that's for sure not a solution to the problem of
regular people who are scared by the firefox dialog.
--
Michael Scherer
More information about the Mageia-sysadm
mailing list