[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple server certificates

Quanah Gibson-Mount wrote:
--On Tuesday, April 29, 2008 2:57 PM -0700 Howard Chu<hyc@symas.com> wrote:
I'm also skeptical about the motivation for this discussion. If you have
separate certs from separate CAs, then you really have distinct security
domains so I don't understand why you need them to share databases. You
might as well just run separate slapds.

Multiple addresses from different domains on a given interface come to mind, where the database is particularly large, so you don't want to have multiple slapd's taking up the resources. That way each address could be secured via SSL, but access the same DB with a single slapd. Say, for example, x.google.org and y.google.com.

You can only have one listener per interface, so none of those considerations are relevant.

Again, if you're really serving multiple distinct security domains, then I don't see what data would be shared between them. It would be poor security practice to have them sharing anything.

This is the real question - why are you using server certs from different CAs? It seems Hallvard will have to answer that, since he posed the original question.

If it were just about mapping multiple DNS names to the same server, you wouldn't need to involve multiple CAs. You would just use a single cert, with multiple subjectAltNames. The use of different CAs means you have totally different administrative realms, different political authorities, and different policies. It is extremely unlikely that two different administrative bodies with different policies would jointly administer the same database.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/