Ewan's comment seems so reasonable I couldn't resit reading the CA policy document. For amusement from the CA policy:
DNS - a DNS name identifying a host (physical or virtual) should use the . The DNS name need not resolve, but should be in a DNS namespace controlled by the Subscriber, as per (3.1). Multiple DNS names may be present if they are associated with the same End Entity. IP { IP addresses in certi?cates may be used.
"For host certicates, the CN must either be A syntactically valid DNS name (the validity check that used to be RFC 1034), but need not actually resolve in DNS. A wildcard DNS name. In this case, the wildcard uses a '*' character and
must be the first component of the name, or a part of the first component of the name."
All very vague really. Doesn't seem to say much about what a "host" is - maybe a "host" could be three machines sharing a common CNAM :) ?
Of course in the end it depends how the middleware stack implements the above set of checks - irrespective of what is written in the CP/CPS.
Andrew
________________________________________
From: Testbed Support for GridPP member institutes [[log in to unmask]] on behalf of Ewan MacMahon [[log in to unmask]]
Sent: Friday, October 30, 2015 4:08 PM
To: [log in to unmask]
Subject: Re: Fwd: Minutes from the WLCG Ops Coord meeting of 22-OCT-2015
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Jensen, Jens (STFC,RAL,SC)
>
> (a) get a certificate for the advertised name and share it across the
> servers
>
> Now (a) is a bad idea; it is against the rules of the CA (sharing keys)
> and what happens if you need to revoke it. So don't do that.
Wait, what? That doesn't seem right - if you've got a thing that's a singular thing (say, a service) that just happens to be implemented by more than one machine under the same administration, then it's not really sharing the key, and if you need to revoke the service's certificate it gets revoked once and equally affects all the machines behind the service, which sounds just fine to me.
What rule is this against, and what does the rule actually say?
Ewan
|