Thank you, that makes more sense. Regards, Dan
> -----Original Message----- > From: Lutz Jaenicke [mailto:[EMAIL PROTECTED] > Sent: 23 July 2003 13:44 > To: [EMAIL PROTECTED] > Subject: Re: FQDN > > > On Wed, Jul 23, 2003 at 01:28:36PM +0100, Dan Kendall wrote: > > I'm a newcomer to this crypto business and maybe I'm a > little confused... I > > don't want to hijack this conversation but surely somebody > from evil.bar.com > > could provide a certificate signed by a trusted party for > example.foo.com. > > After all, the certificate is public right? So something > else, be it DNS > > related or otherwise, must be needed to make sure the > connection is sound. > > Is it not common practice to do a test encryption, thereby > ensuring the > > 'other end' has a private key to match the public key in > the certificate? > > This is an elementary part of the protocol. Your party will send its > certificate _and_ will cryptographically sign it with the private key. > Therefore only the holder of the private key will be able to use the > public key being part of the certificate. > > Again: DNS is not secure. Therefore the standards (RFCs) describing > the use of TLS for certain protocols insist on: > 1 choose a peer and remember its NAME > 2 look up the peer in DNS, if required to establish the connection > 3 perform the TLS handshake and obtain the peer's certificate > 4 check validity of the certificate (expiry, CA, ...) > 5 check whether the subject certified is identical to NAME > > Point 2 (DNS lookup) is only an auxilliary step required due to the > network protocol used. It does not have any security > implications beyond > the fact that it is not trustworthy. The security comes from step 5. > > Best regards, > Lutz > -- > Lutz Jaenicke > [EMAIL PROTECTED] > http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > BTU Cottbus, Allgemeine Elektrotechnik > Universitaetsplatz 3-4, D-03044 Cottbus > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
