Hi Daniela,
The UK CA issues certificates only to a single DNS name, as you
suspected - at the moment. This is pretty much what most Grid CAs do,
except TCS now allows up to a hundred(!) DNS names... and there may be a
few other exceptions, Czech republic maybe.
The Rules for certificate checking specify a scheme whereby a
certificate MAY be issued to multiple names provided all these names are
the same entity. So if you have a host called
wombat.imperial.ac.uk [CNAME]
aardvark.imperial.ac.uk
pit-of-despair.imperial.ac.uk
then it can have all these names in the certificate, and identify itself
with a single private key corresponding to this certificate.
It doesn't matter if these are straightforward aliases or if they
resolve to different IP addresses on the same physical (or virtual)
machine. All that matters is that the machine has a single private key,
and the certificate names the names of the machine. In this case, it is
even more meaningless to check the CN, and the Rules do not (IIRC)
specify what the CN should be.
Of course then these names are bound together (ie on the same host) for
the lifetime of the certificate... as otherwise they'd be different
entities sharing a private key, which'd be a no-no.
The UK e-Science CA doesn't support this scheme at the moment but there
is no reason we shouldn't. If people want it.
Cheers
--jens
On 21/01/2013 16:07, Daniela Bauer wrote:
> Hi Jens,
>
> In the examples given the machine had its various aliases in the
> SubjAltNames.
> I can't see how to request such a certificate from the UK CA.
>
> Cheers,
> Daniela
>
>
>
> On 21 January 2013 15:57, Jens Jensen <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
> ... this one:
> https://ggus.eu/tech/ticket_show.php?ticket=89105
>
> Despite being cc'ed on the ticket a week ago I haven't seen anything in
> my inbox till this morning when Jon Perkin submitted another response.
>
> Also, I can't edit it, but I have asked GGUS for permission.
>
> * The UK CA _does_ issue certificates with subjectAltNames. Hosts have
> DNS name in theirs, and people (and robots) have email addresses.
>
> * When a client connects to a host (server), it should (will) check its
> name for the server (ie the one it uses to open the connection) against
> the subject alt name in the certificate.
>
> Note there is no canonicalisation, so the name in the certificate and
> the hostname can happily be aliases. In fact there is no consulting DNS
> at all for the security check (unless the certificate is issued to an IP
> address, but no one in the grid world does that.)
>
> The CN is supposed to be consulted only if there is no S.A.N., and in
> the case of Globusy things it will consult it anyway to check the
> service name, if any - although I am not sure whether Globus is still
> using this. Globus also had a non-standard wildcard scheme based on
> hyphens.
>
> I seriously doubt anyone in the (grid) world issues host certs without
> DNS names in the S.A.N. We certainly don't. Hope that clears things up
> a bit!
>
> Thanks
> --jens
> --
> Scanned by iCritical.
>
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask] <mailto:[log in to unmask]>
> HEP Group/Physics Dep
> Imperial College
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
--
Scanned by iCritical.
|