[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: editorial on Photuris

To: Paul Leach <paulle@microsoft.com>
Subject: Re: editorial on Photuris
From: John Linn <linn@cam.ov.com>
Date: Thu, 16 Nov 1995 09:08:51 -0500
Cc: ipsec-request@ans.net, perry@piermont.com, ipsec@ans.net, linn@cam.ov.com
In-Reply-To: Your message of "Wed, 15 Nov 1995 11:24:16 PST." <199511151922.AA02003@interlock.ans.net>

Re:

>My principle: if you're making a secure connection to a DNS-named 
>entity, then the certificate MUST bind its DNS name to its key.  
>(Something that can be trivially and algorithmically mapped to a DNS 
>name would be OK -- but I've never seen anyone present an X.509 
>example, real or hypothetical, where that's true.  One post to this 
>list (or pkix -- I forget) showed the DN in a Verisign certificate of a 
>real SSL-using web site, and the relation between its DN and it DNS 
>name was not even as close as Charles' example above.  The DN named the 
>parent corporation of the entity that ran the web site...)

As a point of information, RFC-1279 ("X.500 and Domains", written
by Steve Kille in November 1991) defined just such a mapping, based on
DomainComponent attributes to be incorporated in X.500 DNs.  The 
ability to map between the name requested/displayed and the name
as certified is critical; the choice of whether the certificate
encoding is or isn't X.509 isn't fundamental.   

--jl

References:

Re: editorial on Photuris

From: Paul Leach <paulle@microsoft.com>

Prev by Date: Re: editorial on Photuris
Next by Date: Re: editorial on Photuris
Prev by thread: Re: editorial on Photuris
Next by thread: Re: editorial on Photuris
Index(es):
- Main
- Thread