IP-Hosting Policy Specifics

Susan Zeigler susan at arcana.manske.net
Fri May 4 01:04:58 EDT 2001


That is one reason for a certificate and it is obviously very valid,
however there are other ways they are implemented. "Shopping cart" sites
for smaller businesses probably make up the majority of the ones I've
seen. Considering that the regional ISP that I worked for until very
recently had upwards of 60 collocated/dedicated clients, none of which
had more than one cert per box but many had multiple clients per box,
like it or not this is indeed a solution that is being implemented. 

Additionally, this scenario was similar for the clients who hosted their
servers on their own networks. As IP adminstrator, I was fully aware of
the uses and needs of these clients--less than 1% of the 1500 high-speed
access business clients we had utilized anything but host-headers and
less than 5 had projected that they would eventually install more than
one certificate on a server. The sites that were large enough to want
(and pay for) their own certificates were usually on either a dedicated
or collocated server/server cluster. These included some fairly large
international sites.

There were other technical justifications for hard-IPing sites on a
server that we were occassionally presented with, but one of the few we
could actually justify as mandatory was that multiple certificates on a
server required multiple IPs--multiple NICs is obviously another one. 

The jist of what I was saying was this:
If you only have one cert, you only need one IP. 

steve wrote:
> 
> geezz.. I don't condone this at all.. the *very reason* for a cert is to
> identify the site. Let's please stay with rationality and assume NT SSL
> requires an IP per host name.  :))
> 
> Steve Conzett
> host-all.com
> 
> ----- Original Message -----
> From: "Susan Zeigler" <susan at arcana.manske.net>
> To: <vwp at arin.net>
> Sent: Thursday, May 03, 2001 4:32 PM
> Subject: Re: IP-Hosting Policy Specifics
> 
> > The post I sent earlier today didn't seem to go through so I'm posting it
> again,
> > apologies if anyone receives this twice:
> >
> > Several months ago, I wrote and FAQ and posted information regarding SSL
> and
> > host-header based hosting. Following is an exerpt from that:
> >
> > In order for a certificate to work on more than one site, 2 of three
> > things need to be different: domain, port, or IP.
> >
> > If you are maintaining multiple web sites on one certificate, it can
> > easily be done using only one IP. There must always be one IP per
> > certificate, however, so if you are running multiple certificates on the
> > same server you will need more than one IP assigned to that server--one
> > for each certificate.
> >
> > The certificate should be registered with a designated host-name under
> > your primary domain. (example: secure.webhostersmaindomain.com)
> > This will point to the root site of your server if you are running IIS 4
> > or anywhere on IIS 5 and other web hosting applications.
> >
> > This is the directory you will set up SSL for and where all of the
> > actual home directories of the sites that will be accessed via SSL. You
> > then set up the virtual site and any time you want to access via SSL
> > site, you set up a redirect to the the URL
> > <secure.webhostersmaindomain.com/mydirectory> where
> > <mydirectory> is the name of the home directory. In addition, creating
> > the sites as an application under that root site can help to easily
> > designate them.
> >
> > The only exposure this scheme has is with identity. If someone would
> > click on the lock, it will list the secure.webhostersmaindomain.com as
> > the owner, however this issue is the same for anyone who is running
> > multiple sites off the same certificate, so it doesn't come into play
> > with regards to the IP scheme. The only way to combat this argument is
> > to then have multiple certificates, with each individual client owning
> > their own. This is costly, however, so many web hosting companies don't
> > do this.
> >
> > The web-hosting clients that I have don't get any complaints with this
> > method. In fact, their clients love it because they don't have to buy
> > their own certificate.
> >
> >
> >
> >
> > Alberto Mujica wrote:
> > >
> > > Since technical reasons can be pretty specific I agree with the fact
> that
> > > there should be a list of technical reasons to justify IP address
> > > allocations and an escalation procedure to suggest new ones.
> > >
> > > My main concern, would providing SSL to our customers be a sufficient
> > > technical justification?
> > > In theory, SSL can be provided with host names, but Windows 2000 and NT
> for
> > > example allow binding of a certificate to only one IP Address.
> > >
> > > Thanks,
> > >
> > > Alberto Mujica
> > > Database Administrator
> > > MCDBA, MCSE, MCP+I, A+
> > > albertm at innerhost.com

> > --
> >
> > --
> > -Susan
> > --
> > Susan Zeigler            |      Technical Services
> > szeigler at spindustry.com  |      Spindustry Systems
> > 515.225.0920             |



More information about the Vwp mailing list