9:54 a.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2AQMEINRTVPDGOMTOCXMG
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 04/03/2013 07:26 AM, Ewoud Kohl van Wijngaarden wrote:
I think foreman and smartproxy will use the puppet certificate
infrastructure (as is default in the foreman installer), so that leaves=
us with a few others.
=20
Pro for a wildcard is that it's easy. You can secure lots of services
with just one certificate. Con is that if one service is compromised an=
d
the private key leaks, you need to replace the certificate on all
services.
=20
Given we want to set up everything and still starting up I'm favoring
ease thus a wildcard.
+1
- Karsten
=20
Regarding security I hope that we eventually can use DNSSEC + DANE so w=
e
can use self-signed certificates (so without a CA), but also without
th=
e
downsides of nobody trusting it. That will require RH IT to support
DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believ=
e
this will be the future of SSL certificates. See
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities=
=20
On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote:
> On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
>> I vote wildcard if we're just gonna use it to protect our web.
>
> I admit to being a bit stupid here as to the differences.
>
> My contact at Red Hat IT (who will get for us what we need) indicated
> one-per-subdomain is considered more secure, but didn't have a problem=
> ordering a wildcard for us.
>
> - Karsten
>
>> On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade(a)redhat.c=
om>wrote:
>>
>>> On 03/27/2013 02:44 PM, Mike Burns wrote:
>>>> On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
>>>>> We can get an SSL cert for each subdomain, or we can get a wildcar=
d
>>>>> cert. My understanding is that it is more secure
to use
>>>>> one-per-subdomain.
>>>>>
>>>>> Presuming we want the one-per model, what are the subdomains we ne=
ed to
>>>>> get a cert for?
>>>>>
>>>>> gerrit.ovirt.org
>>>>> jenkins.ovirt.org
>>>>> resources.ovirt.org
>>>>> foreman.ovirt.org
>>>>> smartproxy.ovirt.org
>>>>> lists.ovirt.org
>>>>>
>>>>
>>>> etherpad?
>>>> what about base ovirt.org (the wiki)?
>>>
>>> +1 to both (www, etherpad).
>>>
>>> Basically, anything that has a login over HTTP.
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
=20
--=20
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
------enig2AQMEINRTVPDGOMTOCXMG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iD8DBQFRXEK12ZIOBq0ODEERAsRbAJ9+DEfrAltlXrTBVbsblaT/TnEsagCgi7sk
ZrUbkjws+GM5g4CL2ir1cqc=
=qNdr
-----END PGP SIGNATURE-----
------enig2AQMEINRTVPDGOMTOCXMG--