On Sat, 25 Oct 2008, Alessandro Vesely wrote: > > Perhaps some black magic stems from associating certificate validation with > authority acceptance.
In what way? If you don't accept a certificate's authority then you can't validate it. I don't see what's complicated about it, other than the choice of which authorities to trust (though that problem is easily ignored). > It is also a non-TLS specific problem, but it may be helpful to clarify > the relationship between DNS hierarchical delegations and CA chains. There is none. > To wit, if a CA certificate were assigned along with each domain > delegation then we would need no black magic. RFC 4398. > BTW, why don't we write the IP number on our server certificates? The point of the certificate is to authenticate the name that the user typed in. If you don't authenticate the right thing then you will fail to detect attacks, for example, if an attack on the DNS produces a bogus name -> IP addres translation and the attacker has a valid certificate for that IP address. The same problem applies to the MX mail domain -> hostname mapping, where TLS is insecure because authenticates the target not the source. Tony. -- f.anthony.n.finch <[EMAIL PROTECTED]> http://dotat.at/ NORTH UTSIRE SOUTH UTSIRE: WESTERLY VEERING NORTHWESTERLY 5 TO 7. ROUGH OR VERY ROUGH. SQUALLY WINTRY SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
