5:34 p.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2LSQILQBWBPOVSLGXPWVB
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
We can get an SSL cert for each subdomain, or we can get a wildcard
cert. My understanding is that it is more secure to use one-per-subdomain=
=2E
Presuming we want the one-per model, what are the subdomains we need to
get a cert for?
gerrit.ovirt.org
jenkins.ovirt.org
resources.ovirt.org
foreman.ovirt.org
smartproxy.ovirt.org
lists.ovirt.org
- Karsten
--=20
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
------enig2LSQILQBWBPOVSLGXPWVB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
------enig2LSQILQBWBPOVSLGXPWVB--
4:43 p.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2POMPBUAUBQHMQGACJCCE
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 03/27/2013 02:44 PM, Mike Burns wrote:
o
+1 to both (www, etherpad).
Basically, anything that has a login over HTTP.
- Karsten
--=20
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
------enig2POMPBUAUBQHMQGACJCCE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
------enig2POMPBUAUBQHMQGACJCCE--
4:55 p.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2XKWWUOFLGQLFQIVEQHFC
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
I vote wildcard if we're just gonna use it to protect our web.
I admit to being a bit stupid here as to the differences.
My contact at Red Hat IT (who will get for us what we need) indicated
one-per-subdomain is considered more secure, but didn't have a problem
ordering a wildcard for us.
- Karsten
to
--=20
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
------enig2XKWWUOFLGQLFQIVEQHFC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
------enig2XKWWUOFLGQLFQIVEQHFC--
4:26 p.m.
I think foreman and smartproxy will use the puppet certificate
infrastructure (as is default in the foreman installer), so that leaves
us with a few others.
Pro for a wildcard is that it's easy. You can secure lots of services
with just one certificate. Con is that if one service is compromised and
the private key leaks, you need to replace the certificate on all
services.
Given we want to set up everything and still starting up I'm favoring
ease thus a wildcard.
Regarding security I hope that we eventually can use DNSSEC + DANE so we
can use self-signed certificates (so without a CA), but also without the
downsides of nobody trusting it. That will require RH IT to support
DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believe
this will be the future of SSL certificates. See
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote:
4:54 p.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2AQMEINRTVPDGOMTOCXMG
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 04/03/2013 07:26 AM, Ewoud Kohl van Wijngaarden wrote:
I think foreman and smartproxy will use the puppet certificate
infrastructure (as is default in the foreman installer), so that leaves=
d
+1
- Karsten
=20
Regarding security I hope that we eventually can use DNSSEC + DANE so w=
e
can use self-signed certificates (so without a CA), but also without
th=
e
downsides of nobody trusting it. That will require RH IT to support
DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believ=
e
this will be the future of SSL certificates. See
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities=
om>wrote:
d
ed to
--=20
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
------enig2AQMEINRTVPDGOMTOCXMG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
------enig2AQMEINRTVPDGOMTOCXMG--
4443
days inactive
4450
days old
6 comments
4 participants
participants (4)
-
Alexander Rydekull -
Ewoud Kohl van Wijngaarden -
Karsten 'quaid' Wade -
Mike Burns