[caops-wg] GFD 125 CN for network entities
Reimer Karlsen-Masur, DFN-CERT
karlsen-masur at dfn-cert.de
Fri Jun 26 02:27:08 CDT 2009
Hi,
Doug Olson wrote on 26.06.2009 01:58:
> On 6/25/2009 4:34 PM, Mike Helm wrote:
>> Doug Olson writes:
>>
>>>> The only network entity that ssl/tls can really distinguish is the host itself,
>>>> not the applications running on it. Even that is not quite the right way
>>>>
>>
>>> The SSL layer is using whatever server certificate the application presents.
>>> Different applications should use different certificates.
>>>
>> There's no problem with that that I know of.
>> SSL/TLS and the Grid gssapi variant has certain issues that have to
>> be addressed, that's all.
>>
> The problem comes from having a recommendation that the CN is only the FQDN
> but also having several different server certificates issued for
> different applications
> (with different people responsible) all with the same subjectname.
the CN might be identical but how about looking at the full sDN, ie putting
in the proper OUs or using Grid-service specific DNS aliases for the same
machine or multiple IP# on the same machine to distinguish the
services/certificates if it can't be done by OUs.
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: <https://www.pki.dfn.de/faqpki>
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20090626/cc54985f/attachment-0001.bin
More information about the caops-wg
mailing list