[cryptography] trustable self-signed certs in a P2P environment (freedombox)

Ondrej Mikle ondrej.mikle at nic.cz
Wed Nov 30 18:55:16 EST 2011


On 11/30/11 21:11, Adam Back wrote:
> Its rather common for people with load balancers and lots of servers serving
> the same domain to have multiple certs.

I did a survey how common those load-balancing 'CDN services' are ('CDN service'
defined as 'hostname that sent cert A, then B, then A again'). See
https://mail1.eff.org/pipermail/observatory/2011-November/000484.html

> I installed cert patrol and the popups about this are frequent.  Any
> solution that hopes for easy interim deployment needs to work with this.

Yes. Generally the result from above survey is that certpatrol's popup saying
'CA changed' is rather rare, and serves as a good indicator when user should be
aware that something may be amiss (i.e. low false-positive rate).

There's also bunch of services (server clouds) that issue new certs every 2-3
days. I'll try to post results in a day.

Ondrej



More information about the cryptography mailing list