hate these ads?, log in or register to hide them
Page 5 of 5 FirstFirst ... 2345
Results 81 to 93 of 93

Thread: What certs would one get

  1. #81

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    5,622
    Quote Originally Posted by elmicker View Post
    If you're using wildcard certs and the cert is compromised your entire domain is compromised. You lose the ability to authenticate the host. Yes you still get strong encryption and protection against MITM etc. but you're using incredibly coarse-grained authentication. It shouldn't be an administrative burden to manage certs. It's the same four or five commands every time to generate a CSR, get it signed and put the file in the right place. It's exactly the kind of thing that should be automated (though I understand plenty of CAs are not amenable to this).

    The more security conscious places I've worked take this to its logical extreme and also split the certs into one for client activities and one for server activities (i.e. you've now got two where you used to have one) to absolutely minimise the level of damage if a cert is compromised. They also tend to rotate them monthly or so, which is a barrel of laughs when you're trying to integrate fucking terrible old-school enterprise software that does nothing properly.

    If you want the formal view: https://tools.ietf.org/html/rfc6125#section-7.2
    Fair enough. I'll look into updating the policy and speaking with our cert provider about buying packs of individual certs rather than the *.

    Do you know how the average provider feels about replacing for free a cert when a new DSN comes online? In the past i've always ended up being charged for that and in the environment i'm in, that cost often becomes a sticking point.

    +reps for useful infos.
    Please don't teach me what to do with my pc.

  2. #82

    Join Date
    April 13, 2011
    Posts
    4,769
    I'll admit that my perspective on this is almost entirely focused on internal services, where you are usually your own CA and control the entire lifecycle. Using a wildcard cert to avoid having to interact with verisign quite as much as you would otherwise have to might make perfect sense.

  3. #83

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    5,622
    that's where we are. Adding new services to exchagne endpoitnts, or spinning up a new student services portal and having to shell out a few hundred quid is annoying, and free cert providers are probably going to implode soon thanks to automated malware, so yeah. *.mydomain.ac.uk realy helps.
    Please don't teach me what to do with my pc.

  4. #84
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    7,022
    Quote Originally Posted by elmicker View Post
    It's not the CA being compromised that's mitigated by this approach; if the CA goes then it doesn't matter how fine-grained your certs are as they're all compromised anyway. It limits the damage of people being stupid about their certs, leaving them on open fileshares, emailing them around etc. Also, frankly, having that level of technical complexity in their deployment forces you to manage them in a hands-off automated fashion; ends up saving money in the long run. No more having A Cert Guy on your helpdesk who spends all day signing CSRs and telling people how keytool works.
    Oh, I agree whole-heartedly with this. It informs almost everything I do day to day, not just security. Automate ruthlessly.

    Quote Originally Posted by elmicker View Post
    I'll admit that my perspective on this is almost entirely focused on internal services, where you are usually your own CA and control the entire lifecycle. Using a wildcard cert to avoid having to interact with verisign quite as much as you would otherwise have to might make perfect sense.
    Yeah, that's the exact reason we use them. Still at branch level rather than the whole tree, but still.
    meh

  5. #85

    Join Date
    April 13, 2011
    Posts
    4,769
    Speaking as a lowly backend dweeb, is there a good reason not to just script the shit out of letsencrypt and use that for everything at whatever level of granularity you want?

  6. #86
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    7,022
    Quote Originally Posted by elmicker View Post
    Speaking as a lowly backend dweeb, is there a good reason not to just script the shit out of letsencrypt and use that for everything at whatever level of granularity you want?
    That oh, so important green tick in the browser window.
    meh

  7. #87
    Mallet Head Donor 56k Lagman's Avatar
    Join Date
    May 5, 2011
    Location
    Vancouver, BC
    Posts
    3,710
    Well I got my first exam ref book. I can't afford to dive into too much stuff right now but I started studying for 70-740 yesterday, the real cost will more than likely come from the practice tests and not the actual MS exam

  8. #88
    Movember '11 Best Facial Hair, Best 'Tache Movember 2011Movember 2012Donor helgur's Avatar
    Join Date
    April 24, 2011
    Location
    Putting owls in your Moss
    Posts
    7,653
    Quote Originally Posted by elmicker View Post
    Speaking as a lowly backend dweeb, is there a good reason not to just script the shit out of letsencrypt and use that for everything at whatever level of granularity you want?
    I can't see any. I use it for everything, including my webshop

  9. #89
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    7,022
    Quote Originally Posted by helgur View Post
    Quote Originally Posted by elmicker View Post
    Speaking as a lowly backend dweeb, is there a good reason not to just script the shit out of letsencrypt and use that for everything at whatever level of granularity you want?
    I can't see any. I use it for everything, including my webshop
    Its the double verified "trusted" green tick instead of the the normal "Secure" scam that the traditional CAs dreamed up. It does become important for marketing purposes. You only need that for your public presence though. Service instances talking to service instances use letsencrypt quite happily.
    meh

  10. #90

    Join Date
    May 31, 2011
    Posts
    2,890
    Yeah, those EV (Extended Valuation) certs are just for marketing's sake. To bad the browser developers gave in and implemented special treatment for the EV certs.

  11. #91

    Join Date
    April 13, 2011
    Posts
    4,769
    Quote Originally Posted by erichkknaar View Post
    the traditional CAs
    Schadenfreude.

  12. #92
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    7,022
    Quote Originally Posted by elmicker View Post
    Quote Originally Posted by erichkknaar View Post
    the traditional CAs
    Schadenfreude.
    lol
    meh

  13. #93
    Mallet Head Donor 56k Lagman's Avatar
    Join Date
    May 5, 2011
    Location
    Vancouver, BC
    Posts
    3,710
    Is the combined LPIC-1/Linux+ cert garbage or will it make people want me really bad. I'm not liking how tied down I feel studying MCSA, I'm thinking if/after I get it I'll do something with loonicks

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •