On Fri, Feb 16, 2001 at 12:28:06AM -0600, KJ & JC Salchow wrote:
> Because of this, I'd like to see someone use something like the F5 BIG-IP to
> really screw with Verisign. If you combine F5's SSL termination and their
> HTTP header parsing you could do the following:
>
> Instead of having www.mycom.com and service.mycom.com and sales.mycom.com,
> etc. do:
> www.mycom.com and www.mycom.com/service and www.mycom.com/sales.
Those aren't the normal cases in which people have problems.
It's when people have
www.vhost1.com www.vhost2.com www.vhost3.com
For that setup I still need 3 certs.
For your example above you can get a *.mycom.com cert (which costs more)
> The header parsing would allow all of those to operate on different
> servers - with different support, development, etc - but technically, they
> are all the same FQDN!!! I would love to see this! :-)
some places still want different hostnames for branding:
my.yahoo.com, secure.ebay.com, etc.
Not everyone wants to live under www
> Also, someone mentioned that Verisign could just say that since it was
> encrypted at one point . . . . . unfortunately for them, they wrote the
> agreement - so say in an F5 situation - it IS only one server with the
> certificate. They real question about this is what happens if you load
> balance SSL devices? Do you have to have a valid cert for EACH SSL device -
> for EACH FQDN? The way Verisigns agreement reads - YES.
Agreed. And that may not be an unreasonable request.
I mean think about it. You're paying 15-30K for a ssl accerlator box. Is
an additional $100 going to make that much difference? Hell they should
bundle or have a gift certificate (no pun intended) for a verisign cert
with each accelerator.
-Alex
This archive was generated by hypermail 2b30 : Fri Feb 16 2001 - 19:37:43 EST