RE: How to identify the other peer in DTLS?

2007-03-07 Thread David Schwartz
> As my security experience is not very broad I think that as you properly > pointed I was confused by the security model. If this is a real-world application, you really need to stop *immediately* and get someone with much more security experience to review what you're doing. If we fix all the p

Re: How to identify the other peer in DTLS?

2007-03-07 Thread Darryl Miles
Victor Duchovni wrote: On Wed, Mar 07, 2007 at 03:34:31AM +0100, Vladislav Marinov wrote: This is why I want to extract information about who is the hostname/IP participating in the TLS handshake and compare it to the Common Name field in the certificate. This makes no sense, the client could

Re: How to identify the other peer in DTLS?

2007-03-06 Thread Victor Duchovni
On Wed, Mar 07, 2007 at 04:24:34AM +0100, Vladislav Marinov wrote: > As my security experience is not very broad I think that as you properly > pointed I was confused by the security model. From your words I see > that only client X can present a certificate that belongs to client X. Client cert

Re: How to identify the other peer in DTLS?

2007-03-06 Thread Vladislav Marinov
Hi again, As my security experience is not very broad I think that as you properly pointed I was confused by the security model. From your words I see that only client X can present a certificate that belongs to client X. Why? X.509 certificate simply ties an identity (DNS name for ex.) to a publ

Re: How to identify the other peer in DTLS?

2007-03-06 Thread Victor Duchovni
On Wed, Mar 07, 2007 at 03:34:31AM +0100, Vladislav Marinov wrote: > > Unless the server solicited the client connection, and was expecting > > a connecting from a *given* client, it typically makes to sense to tie > > the client credentials to the client's IP address, rather if you have > > a cli

Re: How to identify the other peer in DTLS?

2007-03-06 Thread Vladislav Marinov
Victor Duchovni wrote: > On Wed, Mar 07, 2007 at 02:28:33AM +0100, Vladislav Marinov wrote: > > >> I am trying to write a client/server application using the OpenSSL >> support for DTLS and I have a problem with the server validating the >> certificate of the client. >> > > Unless the serve

Re: How to identify the other peer in DTLS?

2007-03-06 Thread Victor Duchovni
On Wed, Mar 07, 2007 at 02:28:33AM +0100, Vladislav Marinov wrote: > I am trying to write a client/server application using the OpenSSL > support for DTLS and I have a problem with the server validating the > certificate of the client. Unless the server solicited the client connection, and was ex