>>>>> "MR" == Michael Richardson <[email protected]> writes:
MR> We have a half-dozen mirrors of the site (and code) around the world, all of MR> them donated. 100M of disk space or something... MR> Most answer to www.tcpdump.org as a virtual host, some have their own MR> URLs. HTTP based virtual hosting is simple and cheap, and anyone can put up MR> a mirror using rsync, and then I put the A and AAAA records in along with an MR> extra name like www.us.tcpdump.org (hosted by wireshark). MR> Let's assume that I want to make this true (that www.tcpdump.org is MR> https-everywhere), we need at a minimum, universal SNI or I need to enable MR> this only when there is a unique v6 (because v4 is too scarce) available. [Apologies for any typos. I'm in the process of re-learnin how to type; left hand doesn't wok quite right anymore... -JimC] For mirror netwoks like that you need to have each of them get their own certs (or their own names) and have downloads redirect rom the main site to mirrors with something like an http 302. The main site an distribute the redirrecs using things like geoip or (optionally weighted) round robin, or whatever. There really isn't any other secure way to do it. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
