Hi, Doug Olson wrote on 26.06.2009 01:58:
On 6/25/2009 4:34 PM, Mike Helm wrote:
Doug Olson writes:
The only network entity that ssl/tls can really distinguish is the host itself, not the applications running on it. Even that is not quite the right way
The SSL layer is using whatever server certificate the application presents. Different applications should use different certificates.
There's no problem with that that I know of. SSL/TLS and the Grid gssapi variant has certain issues that have to be addressed, that's all.
The problem comes from having a recommendation that the CN is only the FQDN but also having several different server certificates issued for different applications (with different people responsible) all with the same subjectname.
the CN might be identical but how about looking at the full sDN, ie putting in the proper OUs or using Grid-service specific DNS aliases for the same machine or multiple IP# on the same machine to distinguish the services/certificates if it can't be done by OUs. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: <https://www.pki.dfn.de/faqpki> -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski