> Please check this url:
> http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
> Server authentication, step 4
> The only difference is that netscape just check domain name.
"Does the domain name in the server's certificate match the domain name of
the server itself? This step confirms that the server is actually located at
the same network address specified by the domain name in the server
certificate. Although step 4 is not technically part of the SSL protocol, it
provides the only protection against a form of security attack known as a
Man-in-the-Middle Attack. Clients must perform this step and must refuse to
authenticate the server or establish a connection if the domain names don't
match. If the server's actual domain name matches the domain name in the
server certificate, the client goes on to Step 5."
As I suspected, you misunderstood it. This is NOT ABOUT DNS. This about
confirming that the server's name (the name you think you're talking to)
matches the name in the certificate.
Suppose I trust 'www.amazom.com'. I try to connect to 'www.amazon.com' and
get 210.3.4.9. I am then a certificate for 'www.evilhost.com'. I compare the
name of the server I am trying to speak to 'www.amazon.com' to the name in
the certificate 'www.evilhost.com'. If they don't match, I refuse the
connection.
As Netscape puts it, "does the domain name in the server's certificate"
(www.evilhost.com in my example) "match the domain name of the server
itself" (www.amazon.com in my example). In this case they don't. So the
connection is refused (or, if you prefer, considered to be to/from
'www.evilhost.com' rather than 'www.amazon.com') regardless of what DNS
says.
> Why I suppose someone can get clients' key?
> because in my case, my clients are people without computer background.
> I'd like to believe them know how to keep their keys.
> But in case keys are comprised, shouldn't we think about any possible
> solution to against it?
I could spend months explaining why this is wrong. But I strongly advise
you that you should take the word of the security experts who advise you
that this argument makes no sense. I would cite as further evidence that you
are in no position to maintain this claim against experts the fact that you
misunderstand the basic machinations of how Netscape's server validation
works.
I'm not trying to be mean or rude. I'm just trying to stop you from doing
something really, really bad.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
