Ian G wrote: > Ben Laurie wrote: > ... >>> Hopefully over the next year, the webserver (Apache) >>> will be capable of doing the TLS extension for sharing >>> certs so then it will be reasonable to upgrade. >> >> >> In fact, I'm told (I'll dig up the reference) that there's an X509v3 >> extension that allows you to specify alternate names in the certificate. >> I'm also told that pretty much every browser supports it. > > The best info I know of on the subject is here: > > http://wiki.cacert.org/wiki/VhostTaskForce > > Philipp has a script which he claims automates > the best method(s) described within to create > the alt-names cert. > > (The big problem of course is that you can use > one cert to describe many domains only if they > are the same administrative entity.)
If they share an IP address (which they must, otherwise there's no problem), then they must share a webserver, which means they can share a cert, surely? > What we really need is for the webservers to > implement the TLS extension which I think is > called "server name indication." > > And we need SSL v2 to die so it doesn't interfere > with the above. Actually, you just disable it in the server. I don't see why we need anything more than that. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ ** ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ ** "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]