Re: SSL v IPSEC for management?

[marcvh@aventail.com (Marc VanHeyningen)]

Michael H. Warfield said:
> 	The client shouldn't have to trust the server.  The server presents
> a certificate which, presumably, has some information which indelibly
> links that certificate to the server.  In the case of web servers, that's
> generally the common name in the certificate matching the server name
> you are contacting.  This does rely on information in the DNS being
> acurate.  My server, www.wittsend.com, presents a certificate claiming
> to be www.wittsend.com and DNS lookup on www.wittsend.com confirms this.

I agree with everything you say except the part about DNS.

A good SSL (or anything else, for that matter) implementation should not
rely on DNS resolution.  The DNS lookup of the address is necessary so
that the IP layer can know where it is connecting to, but the SSL layer
should be comparing the name as typed in by the user with the name as
presented in the certificate, not a name which has undergone forward or
reverse or any other form of DNS.

This can pose some issues; if instead of trying to connect to www.wittsend.com
I instead type in the IP address it happens to resolve to, then I'll be
unable to know whether I connected to the right place unless either the
certificate contains the IP address as well as the name, or I choose to
trust reverse DNS.  The easiest solution is "don't do that."

- Marc

-- 
Marc VanHeyningen                 marcvh@aventail.com
Internet Security Architect
Aventail                          http://www.aventail.com/

---

Follow-Ups:

• Re: SSL v IPSEC for management?
• From: "Michael H. Warfield" <mhw@wittsend.com>

References:

• Re: SSL v IPSEC for management?
• From: "Michael H. Warfield" <mhw@wittsend.com>

---

• Prev by Date: Re: SSL v IPSEC for management?
• Next by Date: Re: SSL v IPSEC for management?
• Prev by thread: Re: SSL v IPSEC for management?
• Next by thread: Re: SSL v IPSEC for management?
• Index(es):
  • Main
  • Thread