[ietf79-tech] cert requests

Warren Kumari warren at kumari.net
Wed Oct 6 07:59:38 PDT 2010 

On Oct 6, 2010, at 6:48 AM, Joel Jaeggli wrote:

> On 10/4/10 9:02 PM, Chris Elliott wrote:
>> Russ,
>> 
>> Is a wildcard cert a possibility? We need two additonal certs--we have
>> one for the portal box, we need one for the Radius server and one more
>> for the Wiki/Trac web server. Other needs are likely to come up as new
>> services are enabled. So, a wildcard cert would be easier in the long term.
>> 
>> If not, I'll put in a request for two additional certs.
> 
> I'm really tired of the jailhouse lawyering over cert requests.
> 
> perhaps it's because they're "free" that we do this each time now.
> 
> we should request for each host that we need, being mindful of the
> minimum number we can get away-with.

I suspect that I am missing some background / politics here, and so I'll just carry on bumbling around like a bull in a china shop...

It seems like we are reasonably, but not 100%  sure of what all certs we need -- getting the few individual certs that we need AND a wildcard seems like it makes sense...
I may just be paranoid, but unless we are completely sure that radius (and all the clients) will work with a wildcard, using one for RADIUS seems dangerous -- of course, we do have cert folk here who probably *know* if this is a legitimate concern... 

Of course, what would be even better is if we can fully enumerate all of the certs that we need, and, if on the day it turns out that we missed one, have the ability to poke someone and get the missing one issued in an emergency...

> 
> if we can't bound by that stricture we should just generate our own ca
> and live with the acomanying mess that entails.

While that sounds like it would be wicked cool, and would love to be involved in running the official IETF CA, I suspect that the mess / pain would be staggeringly large...


of course, again, I have no background and have prolly annoyed random folk who do :-p

> 
>> Thanks!
>> Chris.
>> 
>> On Tue, Sep 14, 2010 at 5:38 PM, Russ Housley <housley at vigilsec.com
>> <mailto:housley at vigilsec.com>> wrote:
>> 
>>    Verisign will not give us a CA cert for free.  We need to request each
>>    of the SSL certs we need.
>> 
>>    Russ
>> 
>>    On 9/14/2010 1:21 PM, Chris Elliott wrote:
>>> Randy and folks,
>>> 
>>> Do we want to get individual certs for the portals and the radius
>>    servers and maybe other uses or do we want to request a CA cert? We
>>    have time this time around.
>>> 
>>> Randy, you have the resources and tools to administer a CA for the
>>    IETF, right?
>>> 
>>> Chris.
>>> 
>>> P.S. chelliot has one "t", while my last name has two. I like
>>    hanging on to the last vestiges of the 8-character username
>>    requirements...
>>> 
>>> 
>>> --
>>> Chris Elliott
>>> CCIE # 2013
>>> 
>>> 
>>> On Sep 14, 2010, at 12:55 PM, Randy Bush <randy at psg.com
>>    <mailto:randy at psg.com>> wrote:
>>> 
>>>> russ suggests that we have verisign certs this year.  chelliott,
>>    could
>>>> you please give him the cert requests?
>>>> 
>>>> randy
>>>> _______________________________________________
>>>> ietf79-tech mailing list
>>>> ietf79-tech at daedelus.com <mailto:ietf79-tech at daedelus.com>
>>>> http://www.daedelus.com/mailman/listinfo/ietf79-tech
>>> 
>> 
>> 
>> 
>> 
>> -- 
>> Chris Elliott
>> chelliot at pobox.com <mailto:chelliot at pobox.com>
>> 
>> 
>> 
>> _______________________________________________
>> ietf79-tech mailing list
>> ietf79-tech at daedelus.com
>> http://www.daedelus.com/mailman/listinfo/ietf79-tech
> 
> _______________________________________________
> ietf79-tech mailing list
> ietf79-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf79-tech

More information about the ietf79-tech mailing list