The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Sunday, July 04, 2010

Certs and virtual hosts - multiple signatures

Messing around with webhosting setup on my vacation.

Wikpedia says (http://en.wikipedia.org/wiki/Server_Name_Indication):

Since 2005, CAcert has run experiments on different methods of using TLS on virtual servers.[4] Most of the experiments are unsatisfactory and impractical. For example, it is possible to use subjectAltName to contain multiple domains in a single certificate, but as this is one certificate, this means all the domains must be owned and controlled by one person, and the certificate has to be re-issued every time the list of domains changes.

While I understand the motivations for SNI, I think the above statement is an indication of bogosity - if not in the statement, then in the structure of a certificate and signatures.

What I want is


I.e. I want to be able to have multiple certifiers attached, post facto, to a certificate.

(as well as I want to be able to have the certifier statements and signatures stored separately)

Certifier statements and signatures are metadata.  Metadata can be both adjacent, as above, or non-adjacent.

There can be an integrity code on the certificate_carrier, signed by the certifiee.  since the certifiers have themselves signed, protecting the integrity, of the enclosed certifiee statement, this enables the certifiee to add more certifier statements over time.

I.e. the certifier certifies the certifiee statemnt, not the entire certificate carroer.  Although we could have tghat, too:  the certifier could say "I certify this only if Verisign has also certified it", etc.

No comments: