Re: Buy official *.gnome.org SSL certificate?

[Olav Vitters <olav bkor dhs org>]

On Sun, May 13, 2007 at 11:47:07AM +0200, Christian Rose wrote:
> On 5/12/07, Olav Vitters <olav bkor dhs org> wrote:
> > For Bugzilla I want to move to using SSL for logged in users. Mango
> > already uses SSL, however, this doesn't make sense unless the
> > certificate can be trusted.
> >
> > I propose the GNOME foundation buys a *.gnome.org SSL certificate. Such
> > a wildcard certificate should be reusable for Mango and Bugzilla.
> >
> > Two questions:
> > - Do you agree?
> > - Was a SSL certificate restricted to an IP address? Hopefully not as
> >   above services run on different machines.
> 
> IIRC, wildcard SSL certificates (*.gnome.org) can only be used on a
> single machine, i.e. in use with virtualhosts on a single machine.

Hmm.. weird.

> Furthermore, if I remember correctly, Owen raised an objection when
> this was discussed in the past. The private certificate needs to be
> stored in a secure fashion, and only a selected few should have access

Yeah, that would be a problem.

> to it. However, window can be accessed by almost all module
> maintainers, so perhaps it's not the most appropriate machine for
> this.

I'd actually aim for button (very few) and box (more than you want), not
window.

> However, in principle, I think using real certificates is an excellent
> idea, for all the obvious reasons. And the problems could probably be
> solved.

There are supposed to be SSL speedup machines. Meaning, some machine
that is placed in front of the real machine and it handles the whole
SSL part. Maybe that is an idea? Perhaps something like that could be
done ourselves (button handles SSL, forwards it via backchannel to box
for Bugzilla)?

-- 
Regards,
Olav