On Sat, 30 Sep 1995, Don Stephenson wrote:
I don't think binding hostnames to certificates helps much because both hostnames and IP addresses can be spoofed and DNS servers can be subverted. The important thing is the binding to the "service" name or
In this particular case, hostnames do help, because they are information imbedded in the url used to access the server. By verifying the hostname in the certificate with the hostname in the url, you can state with a high degree of confidence that the object retrieved is precisely the desired object covered by this url.
Well of course, if the secret key of the server (or worse yet, certificate authority) is compromised, all bets are off. That's true of just about any protocol you can dream up.
I'm not referring to the secret key of _the_ server; I'm referring to the secret key of _ANY_ server. In the limiting case, such a key can be obtained by buying one from the CA. Simon