This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2LSQILQBWBPOVSLGXPWVB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable We can get an SSL cert for each subdomain, or we can get a wildcard cert. My understanding is that it is more secure to use one-per-subdomain= =2E Presuming we want the one-per model, what are the subdomains we need to get a cert for? gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org - Karsten --=20 Karsten 'quaid' Wade, Sr. Analyst - Community Growth http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 ------enig2LSQILQBWBPOVSLGXPWVB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFRUx+Y2ZIOBq0ODEERAsogAKDO9sFbEdGWdPPMjyAg7iPCT/MLbgCgzgBR SCyRWznhka2L0XZFV+ijRfI= =/NZ/ -----END PGP SIGNATURE----- ------enig2LSQILQBWBPOVSLGXPWVB--
On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
We can get an SSL cert for each subdomain, or we can get a wildcard cert. My understanding is that it is more secure to use one-per-subdomain.
Presuming we want the one-per model, what are the subdomains we need to get a cert for?
gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org
etherpad? what about base ovirt.org (the wiki)? Mike
- Karsten
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2POMPBUAUBQHMQGACJCCE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 03/27/2013 02:44 PM, Mike Burns wrote:
On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
We can get an SSL cert for each subdomain, or we can get a wildcard cert. My understanding is that it is more secure to use one-per-subdomain.
Presuming we want the one-per model, what are the subdomains we need t= o get a cert for?
gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org
=20 etherpad? what about base ovirt.org (the wiki)?
+1 to both (www, etherpad). Basically, anything that has a login over HTTP. - Karsten --=20 Karsten 'quaid' Wade, Sr. Analyst - Community Growth http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 ------enig2POMPBUAUBQHMQGACJCCE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFRUxOG2ZIOBq0ODEERAiigAJ46mAzVQ+RwH9cUJbzxP25HRIiC0ACdFUFT auTBiBp+ONZ+KBkrYzHnB+0= =bvf6 -----END PGP SIGNATURE----- ------enig2POMPBUAUBQHMQGACJCCE--
I vote wildcard if we're just gonna use it to protect our web. On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade@redhat.com>wrote:
On 03/27/2013 02:44 PM, Mike Burns wrote:
On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
We can get an SSL cert for each subdomain, or we can get a wildcard cert. My understanding is that it is more secure to use one-per-subdomain.
Presuming we want the one-per model, what are the subdomains we need to get a cert for?
gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org
etherpad? what about base ovirt.org (the wiki)?
+1 to both (www, etherpad).
Basically, anything that has a login over HTTP.
- Karsten -- Karsten 'quaid' Wade, Sr. Analyst - Community Growth http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- /Alexander Rydekull
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2XKWWUOFLGQLFQIVEQHFC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
I vote wildcard if we're just gonna use it to protect our web.
I admit to being a bit stupid here as to the differences. My contact at Red Hat IT (who will get for us what we need) indicated one-per-subdomain is considered more secure, but didn't have a problem ordering a wildcard for us. - Karsten
On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade@redhat.com= wrote: =20
On 03/27/2013 02:44 PM, Mike Burns wrote:
On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
We can get an SSL cert for each subdomain, or we can get a wildcard cert. My understanding is that it is more secure to use one-per-subdomain.
Presuming we want the one-per model, what are the subdomains we need= to get a cert for?
gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org
etherpad? what about base ovirt.org (the wiki)?
+1 to both (www, etherpad).
Basically, anything that has a login over HTTP.
- Karsten -- Karsten 'quaid' Wade, Sr. Analyst - Community Growth http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
=20 =20
--=20 Karsten 'quaid' Wade, Sr. Analyst - Community Growth http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 ------enig2XKWWUOFLGQLFQIVEQHFC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFRUxaE2ZIOBq0ODEERAuNRAJwMjNGyV6AR/2mHqu6c4WXilp8e7ACdEdww YnEZL/Bm4QkL9EMT6TGL7SQ= =amPy -----END PGP SIGNATURE----- ------enig2XKWWUOFLGQLFQIVEQHFC--
I think foreman and smartproxy will use the puppet certificate infrastructure (as is default in the foreman installer), so that leaves us with a few others. Pro for a wildcard is that it's easy. You can secure lots of services with just one certificate. Con is that if one service is compromised and the private key leaks, you need to replace the certificate on all services. Given we want to set up everything and still starting up I'm favoring ease thus a wildcard. Regarding security I hope that we eventually can use DNSSEC + DANE so we can use self-signed certificates (so without a CA), but also without the downsides of nobody trusting it. That will require RH IT to support DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believe this will be the future of SSL certificates. See http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote:
On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
I vote wildcard if we're just gonna use it to protect our web.
I admit to being a bit stupid here as to the differences.
My contact at Red Hat IT (who will get for us what we need) indicated one-per-subdomain is considered more secure, but didn't have a problem ordering a wildcard for us.
- Karsten
On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade@redhat.com>wrote:
On 03/27/2013 02:44 PM, Mike Burns wrote:
On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
We can get an SSL cert for each subdomain, or we can get a wildcard cert. My understanding is that it is more secure to use one-per-subdomain.
Presuming we want the one-per model, what are the subdomains we need to get a cert for?
gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org
etherpad? what about base ovirt.org (the wiki)?
+1 to both (www, etherpad).
Basically, anything that has a login over HTTP.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2AQMEINRTVPDGOMTOCXMG Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/03/2013 07:26 AM, Ewoud Kohl van Wijngaarden wrote:
I think foreman and smartproxy will use the puppet certificate infrastructure (as is default in the foreman installer), so that leaves=
us with a few others. =20 Pro for a wildcard is that it's easy. You can secure lots of services with just one certificate. Con is that if one service is compromised an= d the private key leaks, you need to replace the certificate on all services. =20 Given we want to set up everything and still starting up I'm favoring ease thus a wildcard.
+1 - Karsten
=20 Regarding security I hope that we eventually can use DNSSEC + DANE so w= e can use self-signed certificates (so without a CA), but also without th= e downsides of nobody trusting it. That will require RH IT to support DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believ= e this will be the future of SSL certificates. See http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities=
=20 On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote:
On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
I vote wildcard if we're just gonna use it to protect our web.
I admit to being a bit stupid here as to the differences.
My contact at Red Hat IT (who will get for us what we need) indicated one-per-subdomain is considered more secure, but didn't have a problem=
ordering a wildcard for us.
- Karsten
On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade@redhat.c= om>wrote:
On 03/27/2013 02:44 PM, Mike Burns wrote:
On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
We can get an SSL cert for each subdomain, or we can get a wildcar= d cert. My understanding is that it is more secure to use one-per-subdomain.
Presuming we want the one-per model, what are the subdomains we ne= ed to get a cert for?
gerrit.ovirt.org jenkins.ovirt.org resources.ovirt.org foreman.ovirt.org smartproxy.ovirt.org lists.ovirt.org
etherpad? what about base ovirt.org (the wiki)?
+1 to both (www, etherpad).
Basically, anything that has a login over HTTP.
Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra =20
--=20 Karsten 'quaid' Wade, Sr. Analyst - Community Growth http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 ------enig2AQMEINRTVPDGOMTOCXMG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFRXEK12ZIOBq0ODEERAsRbAJ9+DEfrAltlXrTBVbsblaT/TnEsagCgi7sk ZrUbkjws+GM5g4CL2ir1cqc= =qNdr -----END PGP SIGNATURE----- ------enig2AQMEINRTVPDGOMTOCXMG--
participants (4)
-
Alexander Rydekull -
Ewoud Kohl van Wijngaarden -
Karsten 'quaid' Wade -
Mike Burns