[prev in list] [next in list] [prev in thread] [next in thread]
List: loadbalancing-l
Subject: RE: [load balancing] Question about Wildcard certificates, DNS CN AME (alias) and SSL accelerators
From: "Shawn Nunley" <shawn () nunleys ! com>
Date: 2002-12-19 23:29:49
[Download RAW message or body]
James,
You can disagree with the assertion that it is fair. You can even
disagree with the license agreement, but that would mean using
certificates from a different vendor. If you use the certificate from
Verisign, you are agreeing to their terms, and that's what their terms
say, fair or not.
Those other scenarios are not spelled out in the license agreement,
yet, because they aren't seen as a huge market for Verisign. In the
database example, for instance, they know you will be fine with a
private certificate.
Their revenue model has been predicated on numbers of certificates (now
licenses) sold per 'transaction' on the web. Since these high volume
aggregation devices, like SSL accelerators, drastically reduce that
potential revenue, they are trying to preserve that model. It may
work, and it may not.
-Shawn
James Costello said:
>
> I have to strongly disagree with the assurtion that by using an SSL
certificate on a load balancer that you are violating the license
agreement that was agreed to when purchasing the certificate. You are
not using the certificate on more than one server, the only server that
is using the certificate is the load balancer. Given the logic of not
using a certificate on more than one server, if you retrieve your e-
mail on more than one PC do you need to get more than one digital cert
for your e-mail? No, your mail is still end pointed at the same
location and that is where you are assuring the security from. Another
example, you have a database server providing back end data to your
website via an XML connection, if you follow VeriSign's marketing path
you will need to buy a certificate for this server as well even though
your customers make no contact to it and it does not need to have a
certificate outside of your own internal CA to provide security.
> I agree with the statement that VeriSign is not going to do anything
to reduce the number of certificates sold. They know you need them,
they can charge a large fee and get paid every year as long as people
do not know that there are other options.
>
> James Costello
> Consulting Engineer, ITCM
> Tallgrass Technologies
> 913 217 6117
>
>
========================================================================
====
> This message is intended only for the use of the Addressee(s) and may
> contain information that is PRIVILEGED and CONFIDENTIAL. If you are
not
> the intended recipient, dissemination of this communication is
prohibited by law.
> If you have received this communication in error, please erase all
copies
> of the message and its attachments and notify
jcostello@tallgrasstech.com
> immediately.
>
========================================================================
====
>
>
> >>> shawn@nunleys.com 12/18/02 10:53AM >>>
> Alex,
>
> The legality is proscribed by the usage agreement that you accept
when you
> begin using the certificate. This agreement is located at:
>
> http://www.verisign.com/repository/agreements/secureSite.html
>
> The important part is this:
>
> "1. Use Restrictions. You are prohibited from using your SSL
Certificate (i)
> for or on behalf of any other organization, (ii) to perform private
or public
> key operations in connection with any domain name and/or organization
name
> other than the submitted by you during enrollment (unless you have
purchased
> the Shared Hosting Security Service). You are also prohibited from
using your
> SSL Certificate on more than one server at a time (unless you have
purchased
> the SPECIFIC licensing option on the enrollment screen that permits
the use of
> a SSL Certificate on multiple servers). If you choose to display
VeriSign's
> Secure Site Seal (the "Seal"), you must install and display such Seal
only in
> accordance with the Secure Site Seal Licensing Agreement
> (https://www.verisign.com/repository/sslicense_agree.html) ("Secure
Site Seal
> Licensing Agreement")."
>
>
> This has nothing to do with the security of the certificate, or the
risk of it
> being compromised being increased.
>
> Security and legality are separate issues here. You are right, you
can easily
> share the same certificate across multiple servers that are being
load
> balanced, but this is a violation of the usage agreement.
>
> Verisign has a very complete document describing all of these
situations:
>
> http://www.verisign.com/rsc/wp/certshare/certshare.pdf
>
> Here is an excerpt regarding the legal aspect of using certificates
in
> violation of the agreement:
>
> "If an organization would like to use a certificate in multiple
instances or
> for another organization, in some cases, certificate sharing without
the
> appropriate VeriSign license may also expose an enterprise to charges
of
> software piracy.When offering shared certificates, ISPs sometimes
charge end-
> user merchants or other subscribers for use of the VeriSign Server ID
and the
> SSL capabilities enabled by its deployment.This practice allows the
ISP to
> profit from VeriSign's service (the Server ID) without paying
VeriSign's
> required fee, and is considered software piracy.VeriSign strictly
prohibits
> this and similar practices and will pursue violators to the full
extent of the
> law."
>
>
> Of course, Verisign is going to encourage usage practices that result
in more
> purchases of certificates, and that's why they raise the security
issue with
> regard to copying the cert to multiple servers. However, they do not
say this
> is a requirememt, only that you should be aware of the potentialy
higher risk.
>
> -Shawn
>
> Shawn Nunley
> Director of Technology
> NetScaler, Inc.
>
>
>
> Quoting Alex Moore <almoore@verio.net>:
>
> > Hi Shawn,
> >
> > Several times you mention in your email that you cannot "legally"
use
> > the same certificate for multiple devices that are serving the same
> > content. What legislation/policy are you referring to?
> >
> > The theory that Verisigns marketing would have you believe is that
if
> > one of your servers is compromised, then all of your servers should
be
> > considered compromised if they share the same certificate, whereas
if
> > they have individual certificates, then only the sessions to that
single
> > server could be compromised. There is some truth in this, however,
if
> > one of your servers is compromised, this would typically involve the
> > penetration of some form of firewall and I would consider all
servers
> > compromised anyway (after all, in a load balanced environment the
> > servers are typically identical, if one is breached, they could
easily
> > all be breached).
> >
> > The other point to note is that (for example) the Nortel Alteon isd-
SSL
> > accelerator works by sharing identical configuration amongst all the
> > accelerators, by its very nature of operation all devices share a
single
> > certificate.
> >
> > I would be interested if there is some legal requirement, but as
far as
> > I am aware the certificate merely establishes security/validity
between
> > the CN (domain name) and the client, the infrastructure behind that
CN
> > is irrelevant. It all depends on your individual security
requirements,
> > but of course Verisign would recommend a cert for each device ;)
> >
> > It basically comes down to if a server is compromised how exposed
are
> > the other servers? if they are individually secure buy one for
each, if
> > they are equally venerable buy a single one for all. Unless as you
> > state, there is some legal requirement.
> >
> > Let me know what you think.
> >
> > Regards,
> > Alex Moore
> >
> >
> >
> > > authority like Verisign. You cannot use the same certificate
(legally)
> > > on more than one active SSL server.
> >
> >
> > > need a certificate, in this case, is on the accelerator(s).
Again, you
> > > cannot use the same certificate on more than one device at a time
> > > (legally.)
> >
> >
> > ____________________
> > The Load Balancing Mailing List
> > Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> > Archive: http://vegan.net/lb/archive
> > LBDigest: http://lbdigest.com
> > MRTG with SLB: http://vegan.net/MRTG
> > Hosted by: http://www.tokkisystems.com
> >
> >
>
>
>
> ____________________
> The Load Balancing Mailing List
> Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> Archive: http://vegan.net/lb/archive
> LBDigest: http://lbdigest.com
> MRTG with SLB: http://vegan.net/MRTG
> Hosted by: http://www.tokkisystems.com
>
>
>
>
>
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic