> Hi, a question about the SSL: > > In SSL, the server certificate is checked by the > client as to whether the server actually holds the > private key of it. This is done by client sending the > session key signed by server's public key. > > So, why there is a need for a check of domain name in > the server certificate? Shouldn't the above check be > enough?
Absolutely not. If I type "https://www.paypal.com"; and I get connected to a secure server run by some bad guys, knowing they own the certificate they present to me isn't good enough. I need to make sure the certificate was issued to paypal.com and signed by a certificate authority I trust. Anyone can obtain a certificate and confirm that it is their certificate. If the certificate is signed by a CA I trust, I then know who I am talking to. But knowing I am talking to someone I don't trust, and still sending them my credit card information, would be really stupid. So it is imperative that a web browser verify that the certificate in fact belongs to the organization the person using the web browser wants to talk to. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
