David Schwartz wrote: > Sufficient for what? I may not want to send my credit card information to > anyone who has a Verisign certificate, but I might be willing to send it to > someone who has a Verisign certificate for 'www.amazon.com' or has that > listed as one of the alternate names.
There's confusion in the PKI realm about what constitutes trust and authority. My assumption is that the certificate issuer does due diligence -- presumably, that's YOU if you are developing an application using client auth. > Comparing the name to name you get when you resolve the IP you connected to > doesn't seem useful to me. But comparing the name (or alternate name) to the > name you expected to connect to makes very good sense. You're talking about connecting to a server via HTTP, which has little if anything to do with SSL and mutual authentication. I maintain that it is far easier to poison a DNS cache than to recover someone else's private key (if reasonably secured). Client certs should bind public keys to identity -- however that is defined by the application. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
