[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: editorial on Photuris
Re:
>My principle: if you're making a secure connection to a DNS-named
>entity, then the certificate MUST bind its DNS name to its key.
>(Something that can be trivially and algorithmically mapped to a DNS
>name would be OK -- but I've never seen anyone present an X.509
>example, real or hypothetical, where that's true. One post to this
>list (or pkix -- I forget) showed the DN in a Verisign certificate of a
>real SSL-using web site, and the relation between its DN and it DNS
>name was not even as close as Charles' example above. The DN named the
>parent corporation of the entity that ran the web site...)
As a point of information, RFC-1279 ("X.500 and Domains", written
by Steve Kille in November 1991) defined just such a mapping, based on
DomainComponent attributes to be incorporated in X.500 DNs. The
ability to map between the name requested/displayed and the name
as certified is critical; the choice of whether the certificate
encoding is or isn't X.509 isn't fundamental.
--jl
References: