There was one site I work with a bit that I remembered used Thawte
certificates so I connected to see what it does. Does not look like it
uses SAN.
FluffyMac30-2.local:tmp 69% openssl s_client -connect mail.google.com:
443 -showcerts > & foo.pem
^C
FluffyMac30-2.local:tmp 70% openssl x509 -in foo.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
78:62:5d:1b:e6:6e:2e:b0:19:80:fc:0f:e3:da:98:51
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
Validity
Not Before: May 3 15:34:58 2007 GMT
Not After : May 15 17:24:01 2008 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc,
CN=mail.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c9:d4:b9:d2:d4:84:7b:f7:72:9c:b4:03:8e:ca:
df:ca:0e:60:af:42:78:7f:77:50:cc:c7:d5:00:3f:
15:8c:30:85:1a:dc:12:44:23:c1:2a:dd:74:da:85:
44:b0:49:32:ff:8a:58:a1:5b:31:b4:f3:31:24:7a:
f5:54:02:24:9d:ba:70:a4:8e:83:de:61:86:e2:2c:
45:fe:98:f0:c4:5f:ca:75:8a:e2:77:ee:9f:cb:9b:
17:c2:1f:2d:f2:12:7e:bc:d3:5f:cf:e7:c3:c8:e6:
b4:bd:33:68:d3:52:09:95:ac:e9:43:73:a6:d9:0a:
d3:ce:6d:44:ed:8a:a1:e6:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication, Netscape Server Gated Crypto
X509v3 CRL Distribution Points:
URI:http://crl.thawte.com/ThawteSGCCA.crl
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
CA Issuers -
URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption
d4:9a:d2:a2:50:81:09:d7:5e:99:52:05:fc:5c:e1:1a:c3:75:
79:31:40:d0:9c:20:cc:bf:83:e2:ee:b9:51:af:8f:7a:ac:cc:
9e:b1:b4:f3:ea:d0:3b:0c:e0:35:93:c8:ea:57:7a:23:15:42:
43:61:a4:0d:4f:15:51:19:37:d2:f5:36:e9:6b:9c:07:e2:26:
4b:ea:42:dc:43:52:4a:69:62:07:a5:35:09:27:2e:d9:02:f8:
03:5a:75:b0:67:73:f9:b3:9e:a2:f7:70:d9:70:0e:ad:06:0c:
30:25:d3:d2:12:59:fb:e6:d3:52:1a:e2:8f:1a:a4:69:27:51:
78:f5
FluffyMac30-2.local:tmp 71%
I poked a few other sites to see what they do
verisign.com
www.thawte.com
www.entrust.com
www.geotrust.com
www.comodo.com/
cisco.com
microsoft.com
nist.gov
nsa.gov
They all had one thing in common - no SAN. I realize this has nothing
to do with if one could get a certificate with SAN or not - only a
sample (not random) of what people who hopefully know about
certificates are doing.
The funniest thing I found was that https://www.whitehouse.gov/ and
https://www.gov.cn/
were both signed with the *same* certificate. Seriously, I could not
make this up if I tried. (for me, both were severed by
a248.e.akamai.net). Again no SAN.
So this is a pretty adhoc selection but my point is simple - if these
people are not using certificates with SAN, how long do we expect
before most the certificates people are using for their web servers
use SAN? Our goals with SIP has for a long time been that it is
possible to use the same certificate you already have for your web
server and just use it to secure SIP.
One site I know of that does have SAN is cacert.org but I suspect that
is only because I worked with them to get that working. It also
seems that digicert.com can provide certificate with at least a SAN
name of DNS type but less clear if I they can add a URI. The only
other site I found in my limited poking that had a SAN was godaddy.com
- once again proving they are the CA with the best names.
Exchange Server 2007 can take advantage of SAN and I expect to see
more people using them because of this. Perviously some CAs had
offered SAN in certificates call Microsoft Small Business Server
certificates but last time I tried these (long ago) I could not get
one that worked with a SIP URI.
Some old market share data is at
http://news.netcraft.com/archives/2003/04/09/netcraft_ssl_survey.html
A few years back, I got the market share data of major CAs, went down
the top four and tried to get them to sign a CSR with SIP URI in the
SAN. I failed to get anything that worked. One of the CAs worked with
me to try and resolve this and we got a test cert signed but they were
unwilling to offer it as a service due to the small size of the
market. Ideally someone (not me) would try this again and see if the
stuff Microsoft has been doing has made it easier to get certs with
SAN now than it was then.
Another nice test would be to randomly choose some domain names and
look at their https certificate and see if it using SAN to get an idea
of what the current deployment is like.
Cullen <with my individual contributor hat on>
On Mar 26, 2008, at 12:52 PM, Vijay K. Gurbani wrote:
> Eric Rescorla wrote:
>> So, I have no brief for one design or the other, but I think
>> we can agree that it's imperative that this work with certs
>> from commodity CAs. Has someone published a survey of which
>> CAs will give you SAN?
>
> Ekr: I don't know of a survey, but anecdotally speaking, at least
> Thawte does. I have a freebie certificate from Thawte for
> email signing. It has a couple of my identities in SAN:
>
> [osiris:/u/vkg]$ x509 -noout -in vkg-Thawte-SAN.pem -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 15:8d:ec:ff:b9:06:bf:76:49:7b:29:d6:e5:df:61:b8
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte
> Personal Freemail Issuing CA
> ...
> X509v3 extensions:
> X509v3 Subject Alternative Name:
> email:[EMAIL PROTECTED], email:[EMAIL PROTECTED]
> X509v3 Basic Constraints: critical
> CA:FALSE
>
> Thanks,
>
> - vijay
> --
> Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
> 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
> Email: [EMAIL PROTECTED],bell-labs.com,acm.org}
> WWW: http://www.alcatel-lucent.com/bell-labs
> _______________________________________________
> Sip mailing list https://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use [EMAIL PROTECTED] for questions on current sip
> Use [EMAIL PROTECTED] for new developments on the application of sip
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
