-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Michael Sierchio
Sent: Friday, October 27, 2000 3:30 PM
To: Greg
Stark
Cc: [EMAIL PROTECTED]
Subject: Re: Avoiding "man in the
middle" attacks
Greg Stark wrote:
>
> You need one more
check. You need to check that the cert you are getting
> comes from the
site you wanted to connect to.
That's not part of the protocol, it's
something browsers do for
the naive user -- and has nothing to do with the
man-in-the-middle
attack. If you accept the DN presented in the cert,
and that's
who you want to communicate with, the DNS name is rather
irrelevant.
And the integrity of DNS is far less sound than the cert
identity
of the
presenter.
______________________________________________________________________
OpenSSL
Project
http://www.openssl.org
User Support Mailing
List
[EMAIL PROTECTED]
Automated List
Manager
[EMAIL PROTECTED]
Title:
As somebody stated there is difference
between authentication and authorization.
Servers should be protected from "man in the
middle" attacks via "Access Control" software which authorize access to files,
servers, etc. via a triple combination of keys:
FQDN (fully qualified domain name), TCP-IP
address and user name (UID in Unix).
- RE: Avoiding "man in the middle" attacks Salvo Ilardo
- RE: Avoiding "man in the middle" attacks David Schwartz
- Re: Avoiding "man in the middle" attacks amanda