httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Stradling <rob.stradl...@comodo.com>
Subject Re: [PATCH 55593] Add "SSLServerInfoFile" directive
Date Tue, 15 Oct 2013 10:24:23 GMT
On 14/10/13 17:28, Kaspar Brand wrote:
> On 14.10.13 10:51, Rob Stradling wrote:
>> Kaspar, I don't think data from 2010 (or even data from today) should be
>> assumed to be a reliable indicator of future use of non-RSA certs on
>> public sites.
>
> "Past performance is not indicative of future performance", as they use
> to say in other industries, yes. Did the situation with Certicom's
> licensing terms for ECC cert issuance change recently?

Not that I know of.  But, with or without a licence from Certicom, it's 
gradually starting to happen.

Symantec are already issuing ECC certs [1].  Here's one for 
urs.microsoft.com:

-----BEGIN CERTIFICATE-----
MIIDxjCCA2ugAwIBAgIQUbq+PtTzXy8rOAsfB6suITAKBggqhkjOPQQDAjB7MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLDAqBgNVBAMTI1N5bWFudGVjIENs
YXNzIDMgRUNDIDI1NiBiaXQgU1NMIENBMB4XDTEzMDkyMDAwMDAwMFoXDTE1MDkx
OTIzNTk1OVowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw
DgYDVQQHDAdSZWRtb25kMR4wHAYDVQQKDBVNaWNyb3NvZnQgQ29ycG9yYXRpb24x
FDASBgNVBAsMC1NtYXJ0U2NyZWVuMRowGAYDVQQDDBF1cnMubWljcm9zb2Z0LmNv
bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKRpJylWRGyj0IxBH+SMdRRioQd6
M6mSEDsnrnoLAeQmtJOOeGtafnrX4REkM9ZtsAWBWdynIAIFfBrcEb490+mjggHD
MIIBvzA0BgNVHREELTArghF1cnMubWljcm9zb2Z0LmNvbYIWYmV0YS51cnMubWlj
cm9zb2Z0LmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2MCow
KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHwYDVR0j
BBgwFoAUdXGf/eTFGkqYm6v7wTqsTdTPb4wwTwYDVR0fBEgwRjBEoEKgQIY+aHR0
cDovL1NWUjI1NlNlY3VyZUVDQy1jcmwud3Muc3ltYW50ZWMuY29tL1NWUjI1NlNl
Y3VyZUVDQy5jcmwwgZUGCCsGAQUFBwEBBIGIMIGFMDcGCCsGAQUFBzABhitodHRw
Oi8vU1ZSMjU2U2VjdXJlRUNDLW9jc3Aud3Muc3ltYW50ZWMuY29tMEoGCCsGAQUF
BzAChj5odHRwOi8vU1ZSMjU2U2VjdXJlRUNDLWFpYS53cy5zeW1hbnRlYy5jb20v
U1ZSMjU2U2VjdXJlRUNDLmNlcjAKBggqhkjOPQQDAgNJADBGAiEAxdqO/Zo0L4tY
+1VIXjyDBiWexXHo/LUwxJqWYK1DN/ECIQCcp+fXwMAOiv4OlvHjV3BrNuEdr93m
WLuIyEC12xJ5uw==
-----END CERTIFICATE-----

>> AFAICT, interest (amongst the commercial CAs) in ECC certs continues to
>> grow.  Since a significant proportion (I estimate ~20%) of deployed
>> clients will accept RSA server certs but not ECC server certs, I think
>> that configuring both an ECC cert and an RSA cert on a single vhost may
>> yet become popular!
>
> I'm not saying we should no longer support multiple certs per vhost (in
> fact, with my PoC patch, you can send as many certs to OpenSSL if you
> increase SSL_AIDX_MAX - though OpenSSL currently can't really cope with
> it)... what I'm saying is that I don't see a need for an additional
> per-cert directive. To support the "current cert" concept of OpenSSL for
> the SSL_CTX calls, we just need to make sure that we're applying the
> OpenSSLConfCmd directives (ServerInfoFile etc.) at the proper place.
>
> Kaspar

Ah, I see.  Thanks for explaining.


[1] 
http://www.symantec.com/connect/blogs/introducing-algorithm-agility-ecc-and-dsa

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Mime
View raw message