First off - I am new to this and I'm learning. I do not claim to know very much about it and asked the question in openssl-dev because it seemed to me that if the DNS is highjacked that the transaction can be masqueraded. I did a test with Netscape 4.07. This browser is not terribly old. I created a cert with the host name known as www.evilempire.com and netscape was quite happy to accept it and never reported that the URL I typed in does not match the name carried within the cert. However - it did warn me all over the place that I was accepting a cert from an known CA. It properly displayed the identification information but NOT the recorded host name. Perhaps this works differently in a proper cert issued by say Verisign. I do know that they put the host name in the CommonName field of the cert. It is just that in my test I was quite surprised that Netscape did not tell me that there is a mismatch. So I may well have come to an improper conclusion. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
