On 13/10/13 10:29, Kaspar Brand wrote:
On 11.10.2013 13:53, Dr Stephen Henson wrote:
IMHO though there needs to be a way to be able to tie a directive to a
certificate in mod_ssl anyway though. I'm surprised no one has needed to do that
before.
I'm not sure we really need this for mod_ssl, as configuring more than
one cert per vhost is probably a very rare case (the number of non-RSA
certs on public sites is extremely small - in the 2010 SSL Survey from
Qualys e.g., a few more than 100 out of 600,000 were DSA [1]). If people
deliberately want to go for something other than RSA, I would assume
that they either omit the RSA cert completely, or set up a dedicated
vhost for (EC)DSA.
Kaspar, I don't think data from 2010 (or even data from today) should be
assumed to be a reliable indicator of future use of non-RSA certs on
public sites.
AFAICT, interest (amongst the commercial CAs) in ECC certs continues to
grow. Since a significant proportion (I estimate ~20%) of deployed
clients will accept RSA server certs but not ECC server certs, I think
that configuring both an ECC cert and an RSA cert on a single vhost may
yet become popular!
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
