Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt
Yoav Nir <ynir@checkpoint.com> Sun, 26 February 2012 12:14 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24F3021F85FD for <websec@ietfa.amsl.com>; Sun, 26 Feb 2012 04:14:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.453
X-Spam-Level:
X-Spam-Status: No, score=-10.453 tagged_above=-999 required=5 tests=[AWL=0.145, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpGxm-kEhV4k for <websec@ietfa.amsl.com>; Sun, 26 Feb 2012 04:14:08 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id C884921F85FB for <websec@ietf.org>; Sun, 26 Feb 2012 04:14:07 -0800 (PST)
X-CheckPoint: {4F4A1DC3-1-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q1QCE0LE002784; Sun, 26 Feb 2012 14:14:05 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 26 Feb 2012 14:14:00 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Date: Sun, 26 Feb 2012 14:14:07 +0200
Thread-Topic: I-D Action: draft-nir-websec-extended-origin-00.txt
Thread-Index: Acz0gB82ZoFbAcw4QyOD8khg3P9KmQ==
Message-ID: <C800BA3D-8988-4DDA-B5BB-759435634746@checkpoint.com>
References: <20120202220021.31936.37346.idtracker@ietfa.amsl.com> <C35E9FBD-8AF7-4F63-B798-1316B985E032@checkpoint.com> <255B9BB34FB7D647A506DC292726F6E114EC261141@WSMSG3153V.srv.dir.telstra.com> <7BC9C725-9604-49C9-9A6B-B24B6B088B0A@checkpoint.com> <255B9BB34FB7D647A506DC292726F6E114EC261EA8@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114EC261EA8@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_C800BA3D89884DDAB5BB759435634746checkpointcom_"
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2012 12:14:09 -0000
On Feb 24, 2012, at 1:35 AM, Manger, James H wrote: > The scheme that you propose (a.sslvpn.example.com<http://a.sslvpn.example.com>, b.sslvpn.example.com<http://b.sslvpn.example.com>, etc.) really does work. In fact, the product that my company makes offers this as an option. Good to hear. > Sadly, our customers don't like it, hence the other option. Using multiple FQDNs requires them to either buy multiple certificates, or a wildcard certificate, both options are more expensive. Additionally this requires them to add multiple DNS records, which for some reason they find cumbersome. Not sure that that is a good enough reason to introduce extended origins. I checked the products of some of our competitors, and they seem to also offer both options. IMHO the cost and complexity of deployment for the user are valid considerations for engineering. In this case, the cost is incurred not because of technical necessity but because of the way browsers work with commercial CAs - that wildcard certificates are more expensive, and multiple certificates are also more expensive. Regardless, the cost and complexity are real. I hope to have a -01 draft ready in time, which will address your other point. Thanks again for the review Yoav
- [websec] Fwd: I-D Action: draft-nir-websec-extend… Yoav Nir
- Re: [websec] I-D Action: draft-nir-websec-extende… Manger, James H
- Re: [websec] I-D Action: draft-nir-websec-extende… Gervase Markham
- Re: [websec] I-D Action: draft-nir-websec-extende… Yoav Nir
- Re: [websec] I-D Action: draft-nir-websec-extende… Manger, James H
- Re: [websec] I-D Action: draft-nir-websec-extende… Yoav Nir
- Re: [websec] I-D Action: draft-nir-websec-extende… Adam Barth
- Re: [websec] Fwd: I-D Action: draft-nir-websec-ex… Tobias Gondrom
- Re: [websec] I-D Action: draft-nir-websec-extende… Yoav Nir