David Schwartz wrote:
The right thing is for the CA to issue a limited wildcard CA cert.
Basically, it would say that a certain key may sign certificates for all
hosts inside a particular domain. That way you only need one key signed by
an outside authority and it doesn't matter if one of your servers are
compromised. (In fact, you can issue it a new key yourself and revoke the
old one yourself.)
Certificate policy and wildcard CNs have nothing to do with one another
(with the possible exception that the latter promotes bad examples
of the former).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
