The solution of "multiple subjectAltNames" doesn't work, but equipping the
ISP LIS with a separate credential for each of its customers does. Even
someone like Godaddy does that now for its customers. You get a cert, you
upload it, the HTTP server uses it. They probably host tens of thousands of
certs for different domains.
Brian
On 5/25/10 10:33 AM, "Ray Bellis" <Ray.Bellis@nominet.org.uk> wrote:
> On 25/05/2010 15:16, "Brian Rosen" <br@brianrosen.net> wrote:
>
>> Sorry, I don't get this.
>>
>> I certainly understand the customer-of-the-isp issue.
>>
>> However, at least in my experience, such customers don't want any reference
>> to their upstream providers in any service. That means if the customer's
>> domain is customer.net, they want the lis to be lis.customer.net, and
>> isp.net has to answer to that name. If they didn't care, then the DHCP
>> entry would be allowed to point directly to the ISP (and only one DHCP entry
>> would need to be changed if the ISP changed)
>>
>> That is usually pretty straightforward, and ISPs do that. The LIS would
>> have multiple credentials and use the appropriate one.
>
> If the protocol is https (which AIUI is expected) then having the ISP LIS
> answer as "lis.customer.net" is impractical - it just doesn't scale (see
> Martin's message).
>
> Ray
>
>
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
