Re: target hostname / cert subject name checking

[Richard Levitte - VMS Whacker]

From: "RL 'Bob' Morgan" <[EMAIL PROTECTED]>

rlmorgan> There is also the delicate question of exactly what name the
rlmorgan> app hands to the check algorithm as the target host name.
rlmorgan> The text below is unambiguous that it must be "what the user
rlmorgan> typed", not the canonical host name as determined via DNS.
rlmorgan> This avoids DNS spoofing but raises some serious deployment
rlmorgan> problems, in particular if a host has lots of aliases.

Hmm?  Didin't you just contradict yourself there?  Say that the user
typed in "http://www.foo.com/".  www.foo.com is itself a CNAME record
with the value "foo.com".  Should the certificate have a subjectAltName
containing "www.foo.com" or "foo.com"?

For some reason, this is still debated a little here and there...

Anyway, for putting the check code in OpenSSL: as the code is
currently structured, I hardly see a place where this should be.  We
can hardly make it a mandatory thing that is made automagically, since
as you say, the requirements will vary between applications.  However,
perhaps in some kind of utility library...  worth pondering.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis             -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]