Hi, I'm a newcomer to this crypto business and maybe I'm a little confused... I don't want to hijack this conversation but surely somebody from evil.bar.com could provide a certificate signed by a trusted party for example.foo.com. After all, the certificate is public right? So something else, be it DNS related or otherwise, must be needed to make sure the connection is sound. Is it not common practice to do a test encryption, thereby ensuring the 'other end' has a private key to match the public key in the certificate?
Again, apologies for interrupting but I am now quite confused, Dan > -----Original Message----- > From: David Schwartz [mailto:[EMAIL PROTECTED] > Sent: 23 July 2003 02:55 > To: [EMAIL PROTECTED] > Subject: RE: FQDN > > > > > > Thank you, David and Steve. > > Yes, it will be a big problem if someone spoof DNS, > > but it can prevent man-in-the-middle to some extent. > > No, it cannot. > > > If the DNS is sabotaged, what can we do? > > What should I believe? :-) > > You should ignore the DNS entirely. If you receive a > certificate signed by > a trusted authority, you can believe that you are talking to > the entity > whose name appears in that certificate. All a > man-in-the-middle can do in > that case is break the connection. > > I don't understand why you care about DNS at all. If > you receive a > certificate with a common name of 'foo.example.com', you are > talking to > 'foo.example.com', period. It doesn't matter what IP address > you connected > to, connect to you, or what it resolves or doesn't resolve to. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
