Re: SSL certificate modification
From: Anne & Lynn Wheeler (lynn@garlic.com)Date: 10/10/02
- Next message: Henrick Hellström: "Re: SSL certificate modification"
- Previous message: The Other Guy: "Re: How can I prevent a student to install softwares on windows 98 machines?"
- In reply to: Henrick Hellström: "Re: SSL certificate modification"
- Next in thread: Henrick Hellström: "Re: SSL certificate modification"
- Reply: Henrick Hellström: "Re: SSL certificate modification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Anne & Lynn Wheeler <lynn@garlic.com> Date: Thu, 10 Oct 2002 13:55:01 GMT
Henrick Hellström <henrick.hellstrm@telia.com> writes:
> It is possible that ordinary web browsers will only verify the URI. I
> don't know. Other kinds of software would probably verify the IP
> address if present. If the client has access to a secure and trusted
> name server more fields could be verified.
or eliminate the certificate all together. a primary reason for the
existance of SSL server domain certificates is concerns abou the
integrity of the domain name infrastructure (correctly serving up
name->ip-address). The browser connects to a server (after getting
the URI->ip-address translation) and then checks that server correctly
posseses a certificate for the URI.
an issue is that certification authorities that issue SSL domain name
server certificates have to check with the authoritative agency for
domain names ... when they get an application for certification. Their
problem is that the authoritative agency for domain names is the
domain name infrastructure .... the very same domain name
infrastructure with integrity issues that gave rise to the
jistification for certificates in the first place.
some of the enhancements to the domain name infrastructure (to improve
its integrity) needed by certification authorities (so they can trust
the certified information) include things like the owner of a domain
name registering their public key at the some time they register the
domain name.
in any case, enhancements to the domain name infrastructure to improve
the integrity and trust (for purposes of the certification authority
market) also goes a long way to improving the integrity and trust for
everybody. Improving the integrity and trust of the domain name
infrastructure for everybody also negates much of the requirement for
needing SSL domain name server certificates (sort of a catch-22, isn't
it).
Furthermore, one of the solutions from the certification authorities
to have public keys registered as part of domain name registrtation
means that a trusted domain name infrastructure can serve up trusted
public keys in the same way that they would serve up trusted
ip-addresses.
The implementation of domain name infrastructure already supports
serving up arbritrary information, not just domain names ->
ip-addresses. Such an infrastructure would result in near real-time
trusted public keys bound to domain names (as well as any other
information that might be of interested) as opposed to the method of
stale trustetd information implemented by (the now superfulous and
redundant) SSL domain name server certificates.
random refs:
http://www.garlic.com/~lynn/subtopic.html#sslcerts
-- Anne & Lynn Wheeler | lynn@garlic.com - http://www.garlic.com/~lynn/
- Next message: Henrick Hellström: "Re: SSL certificate modification"
- Previous message: The Other Guy: "Re: How can I prevent a student to install softwares on windows 98 machines?"
- In reply to: Henrick Hellström: "Re: SSL certificate modification"
- Next in thread: Henrick Hellström: "Re: SSL certificate modification"
- Reply: Henrick Hellström: "Re: SSL certificate modification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
