David Schwartz wrote:
For example, if you try to connect to 'www.amazon.com' and the resolver resolvers this to '72.21.206.5', you want to get a certificate for 'www.amazon.com'. A certificate for '72.21.206.5' would not prove to the user that he reached 'www.amazon.com' because an attacker could redirect the DNS.Verifying that you got the "right certificate" as opposed to a valid certificate is outside the scope of what the SSL layer can do.
The key issue (pun intended) is possession of the associated private key for the identity bound to the public key in the cert. If the party possesses it, they may be presumed (modulo key revocation, etc.) to be the party indicated in the certificate -- no one else can perform a successful SSL handshake. Whether you like IP addresses or FQDNs is irrelevant. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
