Jean-Marc Desperrier wrote:
Frank Hecker wrote:
In any case I'm surprised that more commercial CAs aren't supporting
the issuance of SSL certificates that handle some of these common
situations.
Selling one cert per domain is simpler to support
Simpler for the CA, but not (I'd argue) for the customer. I'd rather
install one certificate than try to figure out how to (for example) set
up separate SSL certificates for "hecker.org" vs. "www.hecker.org" for a
server on a single IP address.
*and* brings more money.
Perhaps, but I think this can be argued both ways. For example,
currently my CA is making $X/year from me for my single
"www.hecker.org". I'd gladly pay 25-50% more for the ability to have
"hecker.org" on that cert as well, but to my knowledge CAs don't offer
that choice and are therefore missing out on that extra revenue.
They would be more interested in making a reduced price when
someone buys a bunch of cert with the same domain under various DNS than
supporting that.
Certainly allowing arbitrary sets of domain names in certs is a
potential problem for CAs, since (for example) someone with five
different servers could get a single cert with the five domain names and
then share certs and private keys among the servers. However I can't
help but think that a creative CA could figure out ways to address this
problem (if it really would be a problem).
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
