[Mageia-sysadm] SSL certificate

Wed Feb 9 16:58:35 CET 2011

Le mercredi 09 février 2011 à 15:36 +0100, Romain d'Alverny a écrit :
+> On Wed, Feb 9, 2011 at 15:22, Michael Scherer <misc at zarb.org> wrote:
+> > Another issue we had with rapidssl was for foo.barr.domain when the
+> > certificate was *.domain. That's something we need to check and to test
+> > for sure.
+> 
+> AFAIK, that is the case for all wildcards that only work on a single
+> subdomain level, no?
+
+Given the price of a wildcard cert, we didn't check others providers
+when we faced the issue at my work. But that's something to look for
+IMHO. 
+
+Ie, be sure to keep only single level url.
+
+> >> For other solutions, Cacert is not an option so far.
+> >
+> > Why ? Wobo and Pascal are both assurers, IIRC, as is rapsys.
+> 
+> For the single reason it is not recognized by Firefox:
+>  * https://bugzilla.mozilla.org/show_bug.cgi?id=215243
+>  * http://wiki.cacert.org/InclusionStatus
+> 
+> Or my understanding of the issue at stake is wrong?
+
+I may be wrong, but can't we have more than one certificate, ie, to have
+the website certified by gandi and by cacert ? 
+
+I have asked the details on some irc channel, but it was not clear about
+what we can achieve in this regard.
+
+This way, we have a certificate that work in cacert, and we also benefit
+from the reputation of using something less commercial ( not that I
+think gandi does a bad job, and also i do not say because I know the guy
+there, but the whole centralisation around x509 is bad, so we should try
+to find a better if this is not detrimental ).
+
+Another possible complementary approach would be to look at the monkey
+sphere project  ( http://web.monkeysphere.info/why/ ) ( at least for the
+openssh part ), but that's for sure not a solution to the problem of
+regular people who are scared by the firefox dialog.
+
+-- 
+Michael Scherer
+
+