On Tue, 30 Mar 2010, Rhys Smith wrote:
> From a security point of view, even if JANET(UK) do start supporting
> wildcard certs through the certificate service, it'd still be
> recommended to have separate "real" certs in the kind of case when
> you're running several vhosts on the same machine.
> Using wildcard certs for that kind of thing is not really good security
> practice... If your private key is compromised, all hosts are affected;
> if a cert needs to be revoked, all sites are affected, etc.
> EZproxy is one of those few cases where a wildcard cert is "necessary".
> But that might a big enough use case for the Janet SCS to enable
> wildcard certs.
I'm not convinced that wildcard certs are inherently dangerous, but they
do make a number of additional dangerous things possible. The question I
suppose is whether this risk outweighs their usefulness in particular
cases such as EZproxy, and if JANET(UK) should be protecting us from it.
In the case of a single machine (or small group of machines) hosting
multiple vhosts I'm not convinced that a single certificate is actually
worse than multiple ones - in most situations (Apache on Linux, say) if
one key on such a machine is compromised then you should probably consider
them all to be compromised.
There are _lots_ of problems if a single key/certificate is used on lots
of machines, perhaps under multiple managements. So don't do that.
Information Systems Development, Computing Service, University of Cambridge