Yes, Lutz. That's why I want to check peer's FQDN against which on its certificate. Actually, just like what Steve said before, even the hacker can spoof DNS, he still needs peer's certificates and key to masquerade the owner of that key. Checking of the FQDN is an extra step to prevent this to happen.
Jacky ----- Original Message ----- From: "Lutz Jaenicke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 23, 2003 8:43 AM Subject: Re: FQDN > On Wed, Jul 23, 2003 at 01:28:36PM +0100, Dan Kendall wrote: > > I'm a newcomer to this crypto business and maybe I'm a little confused... I > > don't want to hijack this conversation but surely somebody from evil.bar.com > > could provide a certificate signed by a trusted party for example.foo.com. > > After all, the certificate is public right? So something else, be it DNS > > related or otherwise, must be needed to make sure the connection is sound. > > Is it not common practice to do a test encryption, thereby ensuring the > > 'other end' has a private key to match the public key in the certificate? > > This is an elementary part of the protocol. Your party will send its > certificate _and_ will cryptographically sign it with the private key. > Therefore only the holder of the private key will be able to use the > public key being part of the certificate. > > Again: DNS is not secure. Therefore the standards (RFCs) describing > the use of TLS for certain protocols insist on: > 1 choose a peer and remember its NAME > 2 look up the peer in DNS, if required to establish the connection > 3 perform the TLS handshake and obtain the peer's certificate > 4 check validity of the certificate (expiry, CA, ...) > 5 check whether the subject certified is identical to NAME > > Point 2 (DNS lookup) is only an auxilliary step required due to the > network protocol used. It does not have any security implications beyond > the fact that it is not trustworthy. The security comes from step 5. > > Best regards, > Lutz > -- > Lutz Jaenicke [EMAIL PROTECTED] > http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > BTU Cottbus, Allgemeine Elektrotechnik > Universitaetsplatz 3-4, D-03044 Cottbus > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
