On Nov 26, 2007 3:09 PM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > > > > > If the hostname is changing randomly there's not going to be a way to > contact the host via func, anyway. So that use case is kinda moot. Think > of it the same way as having a webserver which is randomly changing it's > ip address and hostname. You're sol on consistently contacting the > webserver and you'll know for damned sure the ssl certs won't match. :) > > Ah I had been wondering about 'provisioning/maintaining' student desktops which are on first come first serve with the dhcp servers. Not a scenario for this though. The other case shows up where stupid DNS is run as dynamic dns with admins who say things like "let you choose your name on this lan." > If another box submits the same csr for lshark.bar.org as the certmaster > got originally it will hand it back the proper cert. If the csr is NOT > the same then it will belch out an error and tell the asking box to go > die. > > does that make sense? > Yes.. oh what happens if a box sends various certs before the sysadmin approves them. Say the old, rebuild the box.. ah crap wrong partitions.. rebuild the box.. what you want oracle on it now, repartition.. rebuild the box... > -sv > > > -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"