SSL
Karsten 'quaid' Wade
kwade at redhat.com
Wed Apr 3 14:54:45 UTC 2013
On 04/03/2013 07:26 AM, Ewoud Kohl van Wijngaarden wrote:
> I think foreman and smartproxy will use the puppet certificate
> infrastructure (as is default in the foreman installer), so that leaves
> us with a few others.
>
> Pro for a wildcard is that it's easy. You can secure lots of services
> with just one certificate. Con is that if one service is compromised and
> the private key leaks, you need to replace the certificate on all
> services.
>
> Given we want to set up everything and still starting up I'm favoring
> ease thus a wildcard.
+1
- Karsten
>
> Regarding security I hope that we eventually can use DNSSEC + DANE so we
> can use self-signed certificates (so without a CA), but also without the
> downsides of nobody trusting it. That will require RH IT to support
> DNSSEC and much wider adoption of DNSSEC and DANE but I strongly believe
> this will be the future of SSL certificates. See
> http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
>
> On Wed, Mar 27, 2013 at 03:55:48PM +0000, Karsten 'quaid' Wade wrote:
>> On 03/27/2013 03:46 PM, Alexander Rydekull wrote:
>>> I vote wildcard if we're just gonna use it to protect our web.
>>
>> I admit to being a bit stupid here as to the differences.
>>
>> My contact at Red Hat IT (who will get for us what we need) indicated
>> one-per-subdomain is considered more secure, but didn't have a problem
>> ordering a wildcard for us.
>>
>> - Karsten
>>
>>> On Wed, Mar 27, 2013 at 4:43 PM, Karsten 'quaid' Wade <kwade at redhat.com>wrote:
>>>
>>>> On 03/27/2013 02:44 PM, Mike Burns wrote:
>>>>> On 03/27/2013 12:34 PM, Karsten 'quaid' Wade wrote:
>>>>>> We can get an SSL cert for each subdomain, or we can get a wildcard
>>>>>> cert. My understanding is that it is more secure to use
>>>>>> one-per-subdomain.
>>>>>>
>>>>>> Presuming we want the one-per model, what are the subdomains we need to
>>>>>> get a cert for?
>>>>>>
>>>>>> gerrit.ovirt.org
>>>>>> jenkins.ovirt.org
>>>>>> resources.ovirt.org
>>>>>> foreman.ovirt.org
>>>>>> smartproxy.ovirt.org
>>>>>> lists.ovirt.org
>>>>>>
>>>>>
>>>>> etherpad?
>>>>> what about base ovirt.org (the wiki)?
>>>>
>>>> +1 to both (www, etherpad).
>>>>
>>>> Basically, anything that has a login over HTTP.
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
--
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20130403/c1d63add/attachment.sig>
More information about the Infra
mailing list