[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: editorial on Photuris
Charles said:
] True, but to the user neither:
]
] Charles.Watt@sware.com
] sware.com
] ga.gov
]
] nor
] CN=Charles Watt, O=SecureWare, C=US
] O=SecureWare, C=US
] O=Georgia Certificate Authority, C=US
]
] are as effective as a more formatted display. If you need to reformat
] anyway, what's the difference?
]
Reformatting for UI purposes is not the issue. If I make a connection to
www.sware.com
using (e.g.) SSL or PCT, and the certificate comes back and proves I've
just contacted "O=SecureWare, C=US", have I contacted the correct
server, or not? I can't determine this automatically in my browser (or
better yet, in the secure connection layer), and if the user is relied
upon to decide, then if I'm a spoofer, I'll for sure pick a name that
is as close as possible to the one I'm spoofing so as to fool users
into saying that it is the name to which they were trying to connect.
My principle: if you're making a secure connection to a DNS-named
entity, then the certificate MUST bind its DNS name to its key.
(Something that can be trivially and algorithmically mapped to a DNS
name would be OK -- but I've never seen anyone present an X.509
example, real or hypothetical, where that's true. One post to this
list (or pkix -- I forget) showed the DN in a Verisign certificate of a
real SSL-using web site, and the relation between its DN and it DNS
name was not even as close as Charles' example above. The DN named the
parent corporation of the entity that ran the web site...)
Follow-Ups: