Don Zick wrote:
Hello Don,
> I'm not actually using DNS at all. For the application I'm working with
> the TLS clients and servers must be statically configured with a Fully
> Qualified Domain Name. I match up the statically configured FQDN for a
> client with the DNS name from the client's certificate.
You are using DNS.
On the network layer you only have the IP address.
To get the FQDN you need to use DNS.
And compared with certificate / private key
authentication it is trivial to forge a wrong DNS answer.
(At least if you don't use DNSSEC on all your clients and servers...)
When an attacker is able to steal a private key,
he is also able to poison your DNS...
Bye
Goetz
--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
S/MIME Cryptographic Signature
