Eric Rescorla wrote:
> 
> Götz Babin-Ebell <[EMAIL PROTECTED]> writes:
> > And how gets he the connection IP-Address <-> FQDN ?
> > ->He uses DNS.
> I think you need to reread his message since that's not
> what he says.

Hm:

<snip>
client authentication.  After a successful SSL_accept() I have some
logic that verifies that the Common Name in the client certificate
matches the client's DNS name.  This works just fine.  However, if the
</snip>

<snip>
It seems to me that if one private key becomes compromised, and I don't
validate the DNS name in certificates then an attacker can pretend
to be any system in the network until the CRL gets updated.  So if I'm
understanding things correctly, validation of the DNS name in
certificates is quite important.
</snip>

I read this as:
1. client connects to his server
2. server extracts FQDN from cert
3. to be shure the client is really
   the client for the allowed tasks he
   does a DNS match for FQDN <-> IP

and point 3 is only meaningfull for the client side:
you must be shure the server is really the server you
wanted to connect, so you know to which host the connection
should go.

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

S/MIME Cryptographic Signature

Reply via email to