Mark wrote: > It is likely that we would want to embed some additional data in > client certificates to further enhance security. For example we > may wish to include a (list of) IP address(es) that the client > can connect from and reject those not on the list. Alternatively > we could create a database of clients and their IP addresses on > the server and perform a lookup based on some unique identifier > in the client certificate. I would be greatful for ideas on > the way to go here and how to implement it.
It seems like a Really Bad Idea to key to IP addresses in the certificate. They can not only change, they're often outside of the client's control. Fully qualified domain names are much better. Server certs use their FQDN as their Common Name. On the server side, why not maintain a database of clients and FQDNs or IP addresses? What you gain in flexibility should more than offset the increased complexity in the code. Bear ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]