hate these ads?, log in or register to hide them
Page 5 of 5 FirstFirst ... 2345
Results 81 to 86 of 86

Thread: What certs would one get

  1. #81

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    5,506
    Quote Originally Posted by elmicker View Post
    If you're using wildcard certs and the cert is compromised your entire domain is compromised. You lose the ability to authenticate the host. Yes you still get strong encryption and protection against MITM etc. but you're using incredibly coarse-grained authentication. It shouldn't be an administrative burden to manage certs. It's the same four or five commands every time to generate a CSR, get it signed and put the file in the right place. It's exactly the kind of thing that should be automated (though I understand plenty of CAs are not amenable to this).

    The more security conscious places I've worked take this to its logical extreme and also split the certs into one for client activities and one for server activities (i.e. you've now got two where you used to have one) to absolutely minimise the level of damage if a cert is compromised. They also tend to rotate them monthly or so, which is a barrel of laughs when you're trying to integrate fucking terrible old-school enterprise software that does nothing properly.

    If you want the formal view: https://tools.ietf.org/html/rfc6125#section-7.2
    Fair enough. I'll look into updating the policy and speaking with our cert provider about buying packs of individual certs rather than the *.

    Do you know how the average provider feels about replacing for free a cert when a new DSN comes online? In the past i've always ended up being charged for that and in the environment i'm in, that cost often becomes a sticking point.

    +reps for useful infos.
    Please don't teach me what to do with my pc.

  2. #82

    Join Date
    April 14, 2011
    Posts
    4,500
    I'll admit that my perspective on this is almost entirely focused on internal services, where you are usually your own CA and control the entire lifecycle. Using a wildcard cert to avoid having to interact with verisign quite as much as you would otherwise have to might make perfect sense.

  3. #83

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    5,506
    that's where we are. Adding new services to exchagne endpoitnts, or spinning up a new student services portal and having to shell out a few hundred quid is annoying, and free cert providers are probably going to implode soon thanks to automated malware, so yeah. *.mydomain.ac.uk realy helps.
    Please don't teach me what to do with my pc.

  4. #84
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    5,825
    Quote Originally Posted by elmicker View Post
    It's not the CA being compromised that's mitigated by this approach; if the CA goes then it doesn't matter how fine-grained your certs are as they're all compromised anyway. It limits the damage of people being stupid about their certs, leaving them on open fileshares, emailing them around etc. Also, frankly, having that level of technical complexity in their deployment forces you to manage them in a hands-off automated fashion; ends up saving money in the long run. No more having A Cert Guy on your helpdesk who spends all day signing CSRs and telling people how keytool works.
    Oh, I agree whole-heartedly with this. It informs almost everything I do day to day, not just security. Automate ruthlessly.

    Quote Originally Posted by elmicker View Post
    I'll admit that my perspective on this is almost entirely focused on internal services, where you are usually your own CA and control the entire lifecycle. Using a wildcard cert to avoid having to interact with verisign quite as much as you would otherwise have to might make perfect sense.
    Yeah, that's the exact reason we use them. Still at branch level rather than the whole tree, but still.
    meh

  5. #85

    Join Date
    April 14, 2011
    Posts
    4,500
    Speaking as a lowly backend dweeb, is there a good reason not to just script the shit out of letsencrypt and use that for everything at whatever level of granularity you want?

  6. #86
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    5,825
    Quote Originally Posted by elmicker View Post
    Speaking as a lowly backend dweeb, is there a good reason not to just script the shit out of letsencrypt and use that for everything at whatever level of granularity you want?
    That oh, so important green tick in the browser window.
    meh

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •