There was one site I work with a bit that I remembered used
Thawte
certificates so I connected to see what it does. Does not
look like it
uses SAN.
FluffyMac30-2.local:tmp 69% openssl s_client -connect
mail.google.com:
443 -showcerts > & foo.pem
^C
FluffyMac30-2.local:tmp 70% openssl x509 -in foo.pem -text
-noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
78:62:5d:1b:e6:6e:2e:b0:19:80:fc:0f:e3:da:98:51
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd.,
CN=Thawte SGC CA
Validity
Not Before: May 3 15:34:58 2007 GMT
Not After : May 15 17:24:01 2008 GMT
Subject: C=US, ST=California, L=Mountain View,
O=Google Inc,
CN=mail.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c9:d4:b9:d2:d4:84:7b:f7:72:9c:b4:03:8e:ca:
df:ca:0e:60:af:42:78:7f:77:50:cc:c7:d5:00:3f:
15:8c:30:85:1a:dc:12:44:23:c1:2a:dd:74:da:85:
44:b0:49:32:ff:8a:58:a1:5b:31:b4:f3:31:24:7a:
f5:54:02:24:9d:ba:70:a4:8e:83:de:61:86:e2:2c:
45:fe:98:f0:c4:5f:ca:75:8a:e2:77:ee:9f:cb:9b:
17:c2:1f:2d:f2:12:7e:bc:d3:5f:cf:e7:c3:c8:e6:
b4:bd:33:68:d3:52:09:95:ac:e9:43:73:a6:d9:0a:
d3:ce:6d:44:ed:8a:a1:e6:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web
Client
Authentication, Netscape Server Gated Crypto
X509v3 CRL Distribution Points:
URI:http://crl.thaw
te.com/ThawteSGCCA.crl
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
CA Issuers - URI:ht
tp://www.thawte.com/repository/Thawte_SGC_CA.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption
d4:9a:d2:a2:50:81:09:d7:5e:99:52:05:fc:5c:e1:1a:c3:75:
79:31:40:d0:9c:20:cc:bf:83:e2:ee:b9:51:af:8f:7a:ac:cc:
9e:b1:b4:f3:ea:d0:3b:0c:e0:35:93:c8:ea:57:7a:23:15:42:
43:61:a4:0d:4f:15:51:19:37:d2:f5:36:e9:6b:9c:07:e2:26:
4b:ea:42:dc:43:52:4a:69:62:07:a5:35:09:27:2e:d9:02:f8:
03:5a:75:b0:67:73:f9:b3:9e:a2:f7:70:d9:70:0e:ad:06:0c:
30:25:d3:d2:12:59:fb:e6:d3:52:1a:e2:8f:1a:a4:69:27:51:
78:f5
FluffyMac30-2.local:tmp 71%
I poked a few other sites to see what they do
verisign.com
www.thawte.com
www.entrust.com
www.geotrust.com
www.comodo.com/
cisco.com
microsoft.com
nist.gov
nsa.gov
They all had one thing in common - no SAN. I realize this
has nothing
to do with if one could get a certificate with SAN or not -
only a
sample (not random) of what people who hopefully know about
certificates are doing.
The funniest thing I found was that https://www.whitehouse.go
v/ and https://www.gov.cn/
were both signed with the *same* certificate. Seriously, I
could not
make this up if I tried. (for me, both were severed by
a248.e.akamai.net). Again no SAN.
So this is a pretty adhoc selection but my point is simple -
if these
people are not using certificates with SAN, how long do we
expect
before most the certificates people are using for their web
servers
use SAN? Our goals with SIP has for a long time been that
it is
possible to use the same certificate you already have for
your web
server and just use it to secure SIP.
One site I know of that does have SAN is cacert.org but I
suspect that
is only because I worked with them to get that working. It
also
seems that digicert.com can provide certificate with at
least a SAN
name of DNS type but less clear if I they can add a URI. The
only
other site I found in my limited poking that had a SAN was
godaddy.com
- once again proving they are the CA with the best names.
Exchange Server 2007 can take advantage of SAN and I expect
to see
more people using them because of this. Perviously some CAs
had
offered SAN in certificates call Microsoft Small Business
Server
certificates but last time I tried these (long ago) I could
not get
one that worked with a SIP URI.
Some old market share data is at http://news.netcraft.com/archives/2003/04/0
9/netcraft_ssl_survey.html
A few years back, I got the market share data of major CAs,
went down
the top four and tried to get them to sign a CSR with SIP
URI in the
SAN. I failed to get anything that worked. One of the CAs
worked with
me to try and resolve this and we got a test cert signed but
they were
unwilling to offer it as a service due to the small size of
the
market. Ideally someone (not me) would try this again and
see if the
stuff Microsoft has been doing has made it easier to get
certs with
SAN now than it was then.
Another nice test would be to randomly choose some domain
names and
look at their https certificate and see if it using SAN to
get an idea
of what the current deployment is like.
Cullen <with my individual contributor hat on>
On Mar 26, 2008, at 12:52 PM, Vijay K. Gurbani wrote:
> Eric Rescorla wrote:
>> So, I have no brief for one design or the other,
but I think
>> we can agree that it's imperative that this work
with certs
>> from commodity CAs. Has someone published a survey
of which
>> CAs will give you SAN?
>
> Ekr: I don't know of a survey, but anecdotally
speaking, at least
> Thawte does. I have a freebie certificate from Thawte
for
> email signing. It has a couple of my identities in
SAN:
>
> [osiris:/u/vkg]$ x509 -noout -in vkg-Thawte-SAN.pem
-text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
>
15:8d:ec:ff:b9:06:bf:76:49:7b:29:d6:e5:df:61:b8
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd.,
CN=Thawte
> Personal Freemail Issuing CA
> ...
> X509v3 extensions:
> X509v3 Subject Alternative Name:
> email:vkg acm.org, email:vkgalcatel-lucent.com
> X509v3 Basic Constraints: critical
> CA:FALSE
>
> Thanks,
>
> - vijay
> --
> Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
> 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532
(USA)
> Email: vkg{alcatel-lucent.com,bell-labs.com,acm.org}
> WWW: http://www.al
catel-lucent.com/bell-labs
> _______________________________________________
> Sip mailing list https://www
.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP
Protocol
> Use sip-implementorscs.columbia.edu for
questions on current sip
> Use sippingietf.org for new developments on the
application of sip
_______________________________________________
Sip mailing list https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip
|
