On 30 Mar 2010, at 17:18, Jon Warbrick wrote:
> In the case of a single machine (or small group of machines) hosting multiple vhosts I'm not convinced that a single certificate is actually worse than multiple ones - in most situations (Apache on Linux, say) if one key on such a machine is compromised then you should probably consider them all to be compromised.
Entirely agree, if a machine has been owned then all private keys on it should be considered compromised. But, a private key being compromised does not necessary imply the machine has been owned - there are other ways that can happen...
> There are _lots_ of problems if a single key/certificate is used on lots of machines, perhaps under multiple managements. So don't do that.
Absolutely!
R.
--
----------------------------------------------------------------------
Dr Rhys Smith e: [log in to unmask]
Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C)
Information Services,
Cardiff University, t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821
----------------------------------------------------------------------
|